4.6 Setting Up Secure Exchange

Secure Exchange is typically used when a Web server does not provide Secure Sockets Layer (SSL) functionality but you still want to access Web pages securely over the Internet. If Secure Exchange is enabled, then all of the HTTP requests coming to the iChain Proxy Server are redirected to HTTPS, causing the data exchanged between the browser and the server to be encrypted using SSL.

You must enable Secure Exchange for Basic Authentication to function correctly (see Section 6.2, Enabling Authentication Through the HTTP Authorization Header).

You can set up Secure Exchange between the client browser and the iChain proxy and also between the iChain proxy and the origin Web server. If you want Secure Exchange between the proxy and the Web server, you must first have it enabled between the client and the proxy.

To set up Secure Exchange:

  1. In the proxy server administration tool, click Configure, then click Web Server Accelerator.

  2. Select the desired accelerator where Secure Exchange is being configured, then click Modify.

  3. Check the Enable Secure Exchange check box.

  4. Specify the SSL listening port to use for Secure Exchange traffic.

  5. In the Certificate drop-down box, select the certificate to use for SSL.

    If you also want to set up Secure Exchange between the iChain proxy and the origin Web server, go to Step 6; otherwise, go to Step 9.

  6. Click Secure Exchange Options.

    This page lets you enable secure access between the iChain Proxy and the origin Web server.

    Secure Exchange Options
  7. Enter the SSL port in the port field between the iChain Proxy and the Origin Web server.

  8. Check the Enable secure access between the iChain Proxy and the Origin Web Server check box.

    With Secure Access enabled between the iChain proxy and the origin Web server, iChain needs to trust the Certificate Authority of the certificate used by the origin Web server. This means you must add a trusted root object into the trusted root container specified in the iChain Service Object configuration. For information about adding a trusted root container, see Section 4.6.1, Creating a Trusted Root Container and Trusted Root Objects.

  9. Click OK, then click Apply.

4.6.1 Creating a Trusted Root Container and Trusted Root Objects

  1. Export a base-64 trusted root file of the Certificate Authority used by the SSL certificate of the origin Web server.

  2. From ConsoleOne, select the Security object located at the root of your LDAP tree.

  3. Select File, select New, then select New Object

    or

    Click the New Object icon.

  4. Select NDSPKI:Trusted Root, then click OK.

  5. Specify a name for the trusted root container (for example, iChain Roots), then click OK.

  6. Select the object you just created (for example, the iChain Roots object).

  7. Select File, select New, then select New Object.

    or

    Click the New Object icon.

  8. Select NDSPKI:Trusted Root Object, then click OK.

  9. Define a name for the trusted root object (for example, Baltimore CA), then click OK.

  10. Click the Read from File button, browse your system for the trusted root certificate, then import it into the dialog box

    or

    Paste your trusted root certificate into the dialog box.

    To use this option, you must first open the trusted root certificate in a text editor or some other program and copy the contents to the clipboard. Then click inside the box and paste the certificate contents.

  11. Click Finish.

    If you want to add more trusted root objects, repeat Step 6 through Step 10 for each certificate.

    After you create a trusted root container object, you need to configure the iChain Service Object (ISO) with the location of that container object. See Section 4.6.2, Configuring iChain to Use the Trusted Root Container and Objects.

4.6.2 Configuring iChain to Use the Trusted Root Container and Objects

  1. From ConsoleOne, click General on the iChain Security object (ISO).

  2. Using the Browse button, browse to the trusted root container previously created in Section 4.6.1, Creating a Trusted Root Container and Trusted Root Objects.

  3. Click OK.