You can configure Access Gateway to use SSL in its connections to Embedded Service Provider (ESP), browsers, and its web servers.
Enable SSL with ESP: To encrypt the data exchanged for authentication (a communication channel between Identity Server and Access Gateway). This option is available only for the reverse proxy that has been assigned to perform authentication.
If you enable SSL between browsers and Access Gateway, this option is automatically selected. You can enable SSL with the ESP without enabling SSL between Access Gateway and browsers. This allows the authentication and identity information that Access Gateway and Identity Server exchange to use a secure channel. However, it allows the data, that Access Gateways retrieves from the back-end web servers and sends to users, to use a non-secure channel. This saves processing overhead if the data on web servers is not sensitive.
Enable SSL between Browser and Access Gateway: To configure SSL connections between your clients and Access Gateway. SSL must be configured between browsers and Access Gateway before you can configure SSL between Access Gateway and web servers.
Redirect Requests from Non-Secure Port to Secure Port: To determine whether browsers are redirected to a secure port and allowed to establish an SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service.
This option is only available if you have selected Enable SSL with Embedded Service Provider.
For information about how to enable SSL between SSL with ESP and how to redirect requests from a non-secure port to a secure port, see Section 5.2.1, Enabling SSL between Browsers and Access Gateway.
This section explains how to enable SSL communication between Access Gateway and browsers (channel 4 in Figure 5-1).
In Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy].
Select the following options based on your requirement:
Enable SSL with Embedded Service Provider
Enable SSL between Browser and Access Gateway
Redirect Requests from Non-Secure Port to Secure Port
Select the certificate to use for SSL between Access Gateway and browsers.
(Conditional) If you selected a certificate in Step 3 that was created by an external CA, click Auto-Import Embedded Service Provider Trusted Root, and specify an alias name.
This option imports the public key from ESP into the trust store of Identity Servers of the selected Identity Server configuration. This sets up a trusted SSL relationship between Identity Server and ESP.
If you are using certificates signed by the Access Manager CA, the public key is automatically added to this trust store.
Configure the ports for SSL:
Non-Secure Port: Indicates a specific port to listen to HTTP requests. The default port for HTTP is 80.
If you selected the Redirect Requests from Non-Secure Port to Secure Port option, requests sent to this port are redirected to the secure port. If the browser can establish an SSL connection, the session continues on the secure port. If the browser cannot establish an SSL connection, the session is terminated.
If you do not select the Redirect Requests from Non-Secure Port to Secure Port option, this port is not used when SSL is enabled.
Secure Port: Indicates a specific port to listen to HTTPS requests (usually 443). This port needs to match the configuration for SSL. If SSL is enabled, this port is used for all communication with the browsers. The listening address and port combination must not match any combination you have configured for another reverse proxy or tunnel.
Click OK > Reverse Proxy / Authentication.
(Conditional) If you are using an externally signed certificate for Identity Server cluster, click Auto-Import Identity Server Trusted Root to import the public key of the CA.
Channel 5 in Figure 5-1, SSL Communication Channels.
SSL must be enabled between Access Gateway and browsers before you can enable it between Access Gateway and its web servers. See Section 5.2.1, Enabling SSL between Browsers and Access Gateway.
In Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.
Select Connect Using SSL.
Configure how you want the proxy service to verify the web server certificate:
Select one of the following options in Web Server Trusted Root:
Do not verify: Use this option when you want the information between Access Gateway and the web server encrypted, but you do not need the added security of verifying the web server certificate.
Continue with Step 4.
Any in Reverse Proxy Trust Store: Use this option to verify the certificate authority of the web server certificate. When this option is selected, the public certificate of the certificate authority must be added to the proxy trust store.
IMPORTANT:For an Access Gateway Service, this is a global option. If you select this option for one proxy service, all proxy services on an Access Gateway Service are flagged to verify the public certificate. This verification is done even when other proxy services are set to Do not verify.
If the web server certificate is part of a chain of certificates, select SSLProxyVerifyDepth and specify how many certificates are in the chain.
The SSL connection between Access Gateway and a web server may fail if a self-signed certificate is used. To prevent this, import the web server certificates to the proxy trust store and then use the following advanced option:
Windows: SSLProxyCACertificateFile "C:\Program Files\Novell\apache\cacerts\myserver.pem".
Linux: SSLProxyCACertificateFile /opt/novell/apache2/cacerts/myserver.pem. This is a service level advanced option.
Click Manage Reverse Proxy Trust Store.
Ensure that the IP address of the web server and the port match your web server configuration and then click OK.
If the whole chain is not displayed, import what is displayed. You then need to manually import the missing parents in the chain. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN.
Specify an alias.
All the displayed certificates are added to the trust store.
(Optional) Set up mutual authentication so that the web server can verify the proxy service certificate. Click Select Certificate to select the certificate you created for the reverse proxy.
You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the web servers assigned to this proxy service. For instructions, see your Web server documentation.
In Connect Port, specify the port that your web server uses for SSL communication.