I have a TAC case open to see if any good documentation exists for this, but I did get a basic installation up and running using SDM 2.5. Unfortunately SDM will NOT recognize that Anyconnect is installed even though it is. You will need to install the Anyconnect packages manually and then setup the rest in SDM.
First...install Anyconnect packages. I use the Window and Mac packages. TFTP them onto the router and install them using: (from conf t)
webvpn install svc flash:/windows_package_name.pkg sequence 1
webvpn install svc flash:/mac_package_name.pkg sequence 2
It will install and your config will have lines like this:
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install svc flash:/webvpn/svc_2.pkg sequence 2
Now you can go into SDM and run the wizard....
Hope this helps!
-Andy
Updating: I got a reply on my TAC case....here are the URLs Cisco sent me:
Here is the IOS SSL VPN Data Sheet that explains what features are available
www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html
Here is the IOS SSL VPN CLI Configuration Guide:
www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html
Here are several IOS SSL VPN Configuration Examples & TechNotes:
www.cisco.com/en/US/products/ps6657/prod_configuration_examples_list.html
Best Answer
I don't know anything about your Cisco gear, but generally speaking any SSL client will have copies installed of the public key for the CAs it trusts. I presume your Cisco kit is the same, but I can't help you with how to install a specific certificate it doesn't already have.
If your system relies on public CA infrastructure, then not much will help if the CA is compromised. At that point a MITM attacker can sign their own key and there is little you can do to distinguish whether that key has been legitimately signed or not. If the attacker has theCA key, there's no difference between them and one signed by the CA using the same key. The only thing you can do is to make sure you have a mechanism for tracking revocations that might be issued for the CA certs.
If you only want to accept certificates signed by a specific CA (limiting your exposure to other CAs being compromised ), then you could remove all the CA certs except the one you trust.
Many SSL communications with a known set of devices (and this is therefore likely for a VPN product) keep a registry with a fingerprint of each client's certificate, or sign the client certs with a key held by the server (ie the server is it's own CA). in these cases there is no need for an external CA, but there has to be a system for securely issuing or signing the certificates. That seems likely for your VPN product, but as I say, I don't know the Cisco gear. If you have an architecture of this sort though, the key point is that compromise of public CAs is unlikely to concern you.
If you have a system where yourVPN server is signing certificates itself, then having the client certs signed by your own CA is every bit as good as checking the client certs against some sort of registry, which is what your list of pinned certs would effectively be.