When you define a reverse proxy with SSL support (Enable SSL between Browser and Access Gateway), you cannot specify a SSL certificate for each published dns name. So you have to define a unique certificate with a lot of Subject Alternative Names. If you want to handle your proxy services separately, each one with his certificate and without another SSL terminator in front of your MAG, follow this procedure.

1 – Go on your MAG via ssh and put your cert and key under:

SSLCertificateFile /opt/novell/apache2/certs

/opt/novell/apache2/certs/proxydnsname.crt

/opt/novell/apache2/certs/proxydnsname.key

2 – Via Access Manager Administration console go to:

Reverse Proxy Service: AG_Cluster – [https reverse proxy name] – [proxy service name] – Advanced Options

and put these lines

SSLCertificateFile /opt/novell/apache2/certs/proxydnsname.crt

SSLCertificateKeyFile /opt/novell/apache2/certs/proxydnsname.key

3 – Create the following file:

/etc/init.d/fixMultipleSSLCertificate.sh
#!/bin/bash

cd /etc/opt/novell/apache2/conf/vhosts.d/

for f in *.conf

do

if [[ $(grep -ce '^\s*SSLCertificateFile' $f) -gt 1 ]]

then

#echo "$f found"

sed -ie '0,/Advanced Options/ s/ SSLCertificate/#SSLCertificate/' $f

fi

done

4 – Modify these parts of /etc/init.d/novell-apache2 (start option and reload option)

case "$1" in

start*)

echo -n "Starting Novell Gateway Service..."

if [ -e $PID_FILE ]; then

$0 status &>/dev/null

ret=$?

if [ $ret = 1 ]; then

echo "Warning: found stale pidfile (unclean shutdown?)"

elif [ $ret = 0 ]; then

echo "Novell Gateway Service is already running ($PID_FILE)"

rc_failed $ret

rc_status -v1

rc_exit

fi

fi


     /etc/init.d/fixMultipleSSLCertificate.sh

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

;;




reload|force-reload|graceful)

echo -n "Reloading Novell Gateway Service..."

 

if ! [ -f $PID_FILE ]; then

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

else

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval $cmdline -t &> $LOGDIR/rc$PNAME.out; then

 /etc/init.d/fixMultipleSSLCertificate.sh

killproc -USR1 $APACHE_BIN || return=$rc_failed

rc_status -v

else

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

rc_failed 6

rc_status -v1

fi

fi

;;

With these modifications you can put a certificate for each proxy service. If the certificate matches the published dns name, the browser will accept it without warnings.

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

4 Comments

  • Alexander McHugh Alexander McHugh says:

    This looks useful , thanks for posting.

  • Jerry Combs jwcombs says:

    Hopefully this capability will make it into the next release so we can do this directly from the admin console.

  • Jerry Combs Jerry Combs says:

    This doesn’t do quite what I was hoping it would. It does allow you to specify separate certificates for two domain names that share a common root. It does not allow you to add a completely separate domain to a single reverse proxy service. So domains with no common root still require a seperate IP or port.

    • nsanson says:

      This is a limitation of NAM handling cookies, as it says if you try to do a virtual definition on a SSL proxy service:

      Domain-Based Multi-Homing requires the Published DNS Name to be in the Cookie Domain of the first Proxy Service

      We cannot do anything about this

By: nsanson
May 30, 2014
11:23 am
Reads:
1,290
Score:
5