17.2 Using SSL on Access Gateway Communication Channels

You can configure Access Gateway to use SSL in its connections to Identity Server, to the browsers, and to its Web servers. Figure 17-2 illustrates these communication channels.

Figure 17-2 Setting Up SSL for Access Gateway Communication Channels

This section only describes how to set up SSL for Access Gateway communication channels. Identity Server needs to be configured for SSL before Access Gateway can be configured for SSL. See Configuring Secure Communication on Identity Server.

When a user logs in to Identity Server, Identity Server verifies the user’s credentials, usually with the credentials stored in an LDAP directory, but other methods are available. If the login is successful, Identity Server sends an artifact to the browser, and the browser forwards it to Access Gateway. Access Gateway uses the artifact to retrieve the user’s name and password from Identity Server. Access Gateway and Identity Server channel is probably the first communication channel you should enable for SSL. Access Gateway uses an Embedded Service Provider to communicate with Identity Server. When you enable SSL between the two, the Access Manager distributes the necessary certificates to set up SSL. However, if you have configured Identity Server to use certificates from an external certificate authority (CA), you need to import the public certificate of this CA into the trust store of Access Gateway. If you have set up Access Gateway to use a certificate from an external CA, you need to import the public certificate of this CA into the trust store of Identity Server.

SSL must be enabled between Access Gateway and the browsers before you can enable SSL between Access Gateway and its Web servers. If you enable SSL between Access Gateway and the browsers, SSL is automatically enabled for Access Gateway Embedded Service Provider that communicates with Identity Server. After you have enabled SSL between Access Gateway and the browsers, you can select whether to enable SSL between Access Gateway and the Web servers. By not enabling SSL to the Web servers, you can save processing overhead if the data on the Web servers is not sensitive or if it is already sufficiently protected.

Whether you need the added security of SSL or mutual SSL between Access Gateway and its Web servers depends upon how you have set up your Web servers.

  • You should enable at least SSL if Access Gateway is injecting authentication credentials into HTTP headers.

  • Mutual SSL is probably not needed if you have configured the Web servers so that they can only accept connections with Access Gateway.