19.6 Configuring SSL between the Proxy Service and the Web Servers

SSL must be enabled between Access Gateway and browsers before you can enable it between Access Gateway and its web servers. See Section 19.5, Configuring SSL Communication with Browsers and Access Gateway.

  1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

  2. Select Connect Using SSL.

  3. Configure how you want the proxy service to verify the web server certificate:

    1. Select one of the following options in Web Server Trusted Root:

      Do not verify: Use this option when you want the information between Access Gateway and the web server encrypted, but you do not need the added security of verifying the web server certificate.

      Continue with Step 4.

      Any in Reverse Proxy Trust Store: Use this option to verify the certificate authority of the web server certificate. When this option is selected, the public certificate of the certificate authority must be added to the proxy trust store.

      IMPORTANT:For an Access Gateway Service, this is a global option. If you select this option for one proxy service, all proxy services on an Access Gateway Service are flagged to verify the public certificate. This verification is done even when other proxy services are set to Do not verify.

      If the web server certificate is part of a chain of certificates, select SSLProxyVerifyDepth and specify how many certificates are in the chain.

      The SSL connection between Access Gateway and a web server may fail if a self-signed certificate is used. To prevent this, import the web server certificates to the proxy trust store and then use the following advanced option:

      Windows:SSLProxyCACertificateFile "C:\Program Files\Novell\apache\cacerts\myserver.pem".

      Linux: SSLProxyCACertificateFile /opt/novell/apache2/cacerts/myserver.pem. This is a service level advanced option.

    2. Click Manage Reverse Proxy Trust Store.

    3. Ensure that the IP address of the web server and the port match your web server configuration and then click OK.

      If the whole chain is not displayed, import what is displayed. You then need to manually import the missing parents in the chain. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN.

    4. Specify an alias.

      All the displayed certificates are added to the trust store.

  4. (Optional) Set up mutual authentication so that the web server can verify the proxy service certificate. Click Select Certificate to select the certificate you created for the reverse proxy.

    You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the web servers assigned to this proxy service. For instructions, see your Web server documentation.

  5. In Connect Port, specify the port that your web server uses for SSL communication.