2.2 Using Access Manager Certificates

By default, all Access Manager components (Identity Server, Access Gateway, SSL VPN, and J2EE Agents) trust the local CA. However, the browsers are not set up to trust the Access Manager CA. You need to import the public key of the trusted root certificate (configCA) into the browsers to establish the trust.

This section discusses the following procedures:

2.2.1 Configuring Secure Communication on the Identity Server

The Identity Server comes with a the test-connector certificate. This procedure shows you how to replace this certificate by completing the following tasks:

  • Enable SSL on the Identity Server (changing from HTTP to HTTPS)

  • Create a certificate

  • Replace the test-connector certificate with the newly created certificate

To configure SSL on the Identity Server:

  1. In the Administration Console, click Devices > Identity Servers.

  2. In the Configuration column, click Edit.

  3. Change Protocol to HTTPS (the system changes the port to 8443), click Apply, then click OK at the warning.

  4. Copy the domain name of your Identity Server configuration to the clipboard, or take note of the name. It must match the common name of the new certificate.

  5. Click the SSL Certificate icon, then click OK at the warning if you clicked Apply when you changed the protocol to HTTPS.

    If you did not click Apply, then click Cancel and click Apply before returning to this option

    The Keystore configuration page appears.

  6. In the Certificates section, click Replace.

  7. In the Replace dialog box, click the Select Certificate icon next to the Certificate field.

  8. On the Select Certificate page, click New.

  9. Click Use local certificate authority.

    This option creates a certificate signed by the local CA (or Organizational CA), and creates the private key.

  10. Fill in the following fields:

    Certificate name: A name that you can associate with this certificate. For easy reference, you might want to paste the domain name of the Identity Server configuration in this field.

    For information about how to modify the default values before clicking OK, see Creating Certificates in the NetIQ Access Manager 3.2 SP3 Administration Console Guide.

    Subject: Click the Edit Subject icon. In the Common Name field, paste the domain name of the base URL of the Identity Server configuration. This value cannot be an IP address or begin with a number, in order to ensure that trust does not fail between providers.

    If you are going to be using Windows CardSpace, fill in values for the other common attributes.

  11. Click OK.

  12. To accept the default values in the other fields, click OK twice.

    The new certificate is displayed on the Select Certificate page.

  13. Verify that the new certificate is selected, then click OK.

  14. Click OK on the Replace dialog box.

  15. Click Restart Now to restart Tomcat, as prompted.

  16. Click Close on the Keystore page.

    • If your Identity Server and Administration Console are on the same machine, you need to log in to the Administration Console again.

    • If your Identity Server is on another machine, click OK.

  17. To verify the health of the Identity Server, click Devices > Identity Servers.

  18. To update the embedded service provider of the Access Gateway to use the new URL, click Devices > Access Gateways > Update.

    If you do not receive the option to update the Access Gateway, select the Access Gateway, then click Actions > Service Provider > Restart Service Provider > OK.

    Restarting the service provider reestablishes the trust between the Access Gateway and the new base URL for the Identity Server.

  19. Verify that the trusted relationship between the Identity Server and the Access Gateway has been reestablished.

    1. Enter the URL to a protected resource on the Access Gateway.

    2. Complete one of the following:

2.2.2 Configuring the Access Gateway for SSL

This section describes how to set up SSL for the Access Gateway communication channels:

Configuring SSL Communication with the Browsers and the Access Gateway

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

  2. To configure the reverse proxy for SSL, fill in the following fields:

    Enable SSL with Embedded Service Provider: Select this option to encrypt the data exchanged for authentication (the communication channel between the Identity Server and the Access Gateway). This option is only available for the reverse proxy that has been assigned to perform authentication.

    If you enable SSL between the browsers and the Access Gateway, this option is automatically selected for you. You can enable SSL with the embedded service provider without enabling SSL between the Access Gateway and the browsers. This allows the authentication and identity information that the Access Gateway and the Identity Server exchange to use a secure channel, but allows the Access Gateways to use non-secure channels with the browsers and the Web servers. This saves processing overhead if the data on the Web servers is not sensitive.

    Enable SSL between Browser and Access Gateway: Select this option to require SSL connections between your clients and the Access Gateway. SSL must be configured between the browsers and the Access Gateway before you can configure SSL between the Access Gateway and the Web servers. For this process, see Enabling SSL between the Reverse Proxy and Its Web Servers.

    Redirect Requests from Non-Secure Port to Secure Port: Determines whether browsers are redirected to the secure port and allowed to establish an SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service.

  3. Generate a certificate key by using the Access Manager CA:

    1. Click Auto-generate Key, then click OK twice.

    2. On the Select Certificate page, make sure the certificate is selected, then click OK.

      The generated certificate appears in the Server Certificate text box.

  4. Configure the ports for SSL:

    Non-Secure Port: Specifies the port on which to listen for HTTP requests. The default port for HTTP is 80. If you have selected the Redirect Requests from Non-Secure Port to Secure Port option, requests sent to this port are redirected to the secure port. If the browser can establish an SSL connection, the session continues on the secure port. If the browser cannot establish an SSL connection, the session is terminated.

    Secure Port: Specifies the port on which to listen for HTTPS requests (which is usually 443). This port needs to match the configuration for SSL. If SSL is enabled, this port is used for all communication with the browsers. The listening address and port combination must not match any combination you have configured for another reverse proxy or tunnel.

  5. In the Proxy Service List, click [Name of Proxy Service] > Protected Resources.

  6. In the Protected Resource List, change the Authentication Procedure from an HTTP contract to an HTTPS contract.

    For example, if a protected resource is using the Name/Password - Basic contract, click the name and change it to the Name/Password - Form, the Secure Name/Password - Basic or the Secure Name/Password - Form contract. Then click OK.

    The Name/Password - Form contract is capable of using either HTTP or HTTPS.

    To enable single sign-on, select the same contract for all the protected resources.

  7. Click the Configuration Panel link near the bottom of the page, then in the confirmation box, click OK.

  8. On the Server Configuration page, click Reverse Proxy / Authentication.

  9. In the Embedded Service Provider section, click Auto-Import Identity Server Configuration Trusted Root, click OK, specify an alias, click OK twice, then click Close.

    This option imports the public key of the Identity Server into the trust store of the embedded service provider. This sets up a trusted SSL relationship between the embedded service provider and the Identity Server.

    The configCA public key certificate of the Access Manager CA is automatically added to the ESP Trust Store. If you are using Access Manager CA certificates for the Identity Server, you do not need to import the configCA certificate unless someone has deleted it from this trust store.

  10. Click Configuration Panel, then in the confirmation box, click OK.

  11. On the Server Configuration page, click OK.

  12. On the Access Gateways page, click Update > OK.

  13. Update the Identity Server so that it uses the new SSL configuration. Click Devices > Identity Servers, then click Update > OK.

  14. Verify that the trusted relationship between the Identity Server and the Access Gateway has been reestablished:

    1. Enter the URL to a protected resource on the Access Gateway. For example, enter

      https://www.mytest.com
      
    2. Complete one of the following:

Enabling SSL between the Reverse Proxy and Its Web Servers

To enable SSL between the reverse proxy and the Web servers, you must have already performed the following tasks:

  • Enabled SSL between the Access Gateway and the browsers. See Section 1.4.1, Configuring a Reverse Proxy and select the Enable SSL between Browser and Access Gateway field.

  • Enabled SSL on the Web server. See your Web server documentation.

If you have completed these tasks:

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

    The Web Servers configuration page appears.

  2. To configure SSL, select Connect Using SSL.

    This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Section 1.4.1, Configuring a Reverse Proxy and select the Enable SSL between Browser and Access Gateway field.

  3. In the Connect Port field, specify the port that your Web server uses for SSL communication.

  4. Configure how you want the certificate verified. The Access Gateway supports different options. Select one of the following:

    • Do not verify: Select this option if you do not want to verify the Web Server Trusted Root certificate. Continue with Step 10.

    • To verify the certificate authority of the Web server certificate, select Any in Reverse Proxy Trust Store. When this option is selected, the public certificate of the certificate authority must be added to the proxy trust store.

      IMPORTANT:For an Access Gateway Service, this option is a global option. If you select this option for one proxy service, all proxy services on an Access Gateway Service are flagged to verify the public certificate. This verification is done even when other proxy services are set to Do not verify.

  5. Click the Manage Reverse Proxy Trust Store icon. The auto import screen appears.

  6. Ensure that the IP address of the Web server and the port match your Web server configuration.

    If these values are wrong, you have entered them incorrectly on the Web server page. Click Cancel and reconfigure them before continuing.

  7. Click OK.

    Wait while the Access Gateway retrieves the server certificate, the root CA certificate, and any CA certificates from a chain from the Web server.

  8. Specify an alias, then click OK.

    All the displayed certificates are added to the trust store.

  9. Click Close.

  10. (Optional) For mutual authentication:

    1. Select the certificate. Click the Select Certificate icon, select the certificate you created for the reverse proxy, then click OK.

    2. Import the trusted root certificate of the CA that signed the proxy service’s certificate to the Web servers assigned to this proxy service.

      See your Web server documentation for instructions.

  11. Click Configuration Panel, then click OK.

  12. On the Configuration page, click OK.

  13. On the Access Gateways page, click Update.

  14. (Optional). Test this configuration from a client browser:

    1. Enter the published DNS name as the URL in the browser.

    2. Click the links that require authentication for access.