When you define a reverse proxy with SSL support (Enable SSL between Browser and Access Gateway), you cannot specify a SSL certificate for each published dns name. So you have to define a unique certificate with a lot of Subject Alternative Names. If you want to handle your proxy services separately, each one with his certificate and without another SSL terminator in front of your MAG, follow this procedure.
Reverse Proxy Service: AG_Cluster – [https reverse proxy name] – [proxy service name] – Advanced Options
and put these lines
SSLCertificateFile /opt/novell/apache2/certs/proxydnsname.crt SSLCertificateKeyFile /opt/novell/apache2/certs/proxydnsname.key
#!/bin/bash cd /etc/opt/novell/apache2/conf/vhosts.d/ for f in *.conf do if [[ $(grep -ce '^\s*SSLCertificateFile' $f) -gt 1 ]] then #echo "$f found" sed -ie '0,/Advanced Options/ s/ SSLCertificate/#SSLCertificate/' $f fi done
case "$1" in start*) echo -n "Starting Novell Gateway Service..." if [ -e $PID_FILE ]; then $0 status &>/dev/null ret=$? if [ $ret = 1 ]; then echo "Warning: found stale pidfile (unclean shutdown?)" elif [ $ret = 0 ]; then echo "Novell Gateway Service is already running ($PID_FILE)" rc_failed $ret rc_status -v1 rc_exit fi fi /etc/init.d/fixMultipleSSLCertificate.sh cmdline="$APACHE_BIN $APACHE_OPTIONS" if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then rc_status -v else rc_status -v echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n"; fi ;; reload|force-reload|graceful) echo -n "Reloading Novell Gateway Service..." if ! [ -f $PID_FILE ]; then cmdline="$APACHE_BIN $APACHE_OPTIONS" if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then rc_status -v else rc_status -v echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n"; fi else cmdline="$APACHE_BIN $APACHE_OPTIONS" if eval $cmdline -t &> $LOGDIR/rc$PNAME.out; then /etc/init.d/fixMultipleSSLCertificate.sh killproc -USR1 $APACHE_BIN || return=$rc_failed rc_status -v else echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n"; rc_failed 6 rc_status -v1 fi fi ;;
With these modifications you can put a certificate for each proxy service. If the certificate matches the published dns name, the browser will accept it without warnings.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.