Access Gateway can be configured to use certificates for SSL communication with three types of entities:
Identity Server: Access Gateway uses the Embedded Service Provider to communicate with Identity Server. The Access Manager CA automatically generates the required certificates for secure communication when you set up a trusted relationship with Identity Server. To manage these certificates in Administration Console, click Access Gateways > [Configuration Link] > Service Provider Certificates. For more information, see Section 15.3.1, Managing Embedded Service Provider Certificates.
Client browsers: You can enable SSL communication between the client browsers and Access Gateway. When setting up this feature, you can either have the Access Manager CA automatically generate a certificate key or you can select a certificate key you have already imported (or created) for the reverse proxy. To manage this certificate in Administration Console, click Access Gateways > [Configuration Link] > [Name of Reverse Proxy]. For more information, see Section 3.8.2, Managing Reverse Proxies and Authentication.
Protected Web servers: You can enable SSL communication between Access Gateway and the Web servers it is protecting. This option is only available if you have enabled SSL communication between the browsers and Access Gateway. You can enable SSL or mutual SSL. To manage these certificates in Administration Console, click Access Gateways > [Configuration Link] > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers. For more information, see Section 3.8.3, Configuring Web Servers of a Proxy Service.
Access Gateway uses an Embedded Service Provider to communicate with Identity Server. The Service Provider Certificates page allows you to view the private keys, certificate authority (CA) certificates, and certificate containers associated with this module. These keystores do not contain the certificates that Access Gateway uses for SSL connections to browsers or to back-end Web servers.
To view or modify these certificates:
In Administration Console Dashboard, click Devices > Access Gateways > Edit > Service Provider Certificates.
Configure the following:
Signing: The signing certificate keystore. Click this link to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the logout requests from ESP to Identity Server.
Trusted Roots: The trusted root certificate container for the CA certificates associated with Access Gateway. Click this link to access the trust store, where you can add trusted roots to the container.
The Embedded Service Provider must trust the certificate of Identity Server that Access Gateway has been configured to trust. The public certificate of the CA that generated Identity Server certificate must be in this trust store. If you configured Identity Server to use a certificate generated by a CA other than the Access Manager CA, you must add the public certificate of this CA to the Trusted Roots store. To import this certificate, click Trusted Roots, then in the Trusted Roots section, click Auto-Import From Server. Fill in the IP address or DNS name of your Identity Server and its port, then click OK.
You can also auto import Identity Server certificate by selecting the Auto-Import Identity Server Configuration Trusted Root option on the Reverse Proxies / Authentication page (click Devices > Access Gateways > Edit > Reverse Proxies / Authentication). With this option, you do not need to specify the IP address and port of Identity Server.
To save your changes to browser cache, click OK.
To apply your changes, click the Access Gateways link, then click Update > OK.
You select Access Gateway certificates on two pages in Administration Console:
Devices > Access Gateways > Edit > [Name of Reverse Proxy]
Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers
When you configure certificates on these pages, you need to be aware that two phases are used to push the certificates into active use.
Phase 1: When you select a certificate on one of these pages, then click OK, the certificate is placed in the keystore on Administration Console and it is pushed to Access Gateway. The certificate is available for use, but it is not used until you update Access Gateway.
Phase 2: When you select to update Access Gateway, the configuration for Access Gateway is modified to contain references to the new certificate and the configuration change is sent to Access Gateway. Access Gateway loads and uses the new certificate.