7.10 Importing the Access Gateway Configuration Data

  1. Verify that the Access Gateway meets the conditions for an import:

    • The Access Gateway should not be a member of a cluster. If it is a member of a cluster, remove it from the cluster before continuing.

      In the Administration Console, click Devices > Access Gateways, select the Access Gateway, then click Actions > Remove from Cluster.

      You can create a cluster and add this machine to the cluster as the primary server after you have completed the import.

    • Delete reverse proxies if any configured.

      In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxies / Authentication. In the Reverse Proxy List, select Name, then click Delete. Update the Access Gateway and the Identity Server.

  2. Click Access Gateways > [Name of Access Gateway] > Configuration > Import.

  3. Browse to the location of the configuration file, select the file, enter the password if you specified while exporting the configuration, then click OK.

  4. When the configuration import has finished, verify the configuration for your reverse proxies.

    1. Click Access Gateways > Edit > [Name of Reverse Proxy].

    2. Verify the listening address.

      This is important if your Access Gateway has multiple network adapters. By default, the IP address of eth0 is always selected as the listening address.

    3. Verify the certificates assigned to the reverse proxy.

      The Subject Name of the certificate should match the published DNS name of the primary proxy service in the Proxy Service List.

    4. Verify the Web Server configuration. In the Proxy Service List, click the Web Server Addresses link. Check the following values:

      • Web Server Host Name: If this name has a staging prefix or suffix, remove it.

      • IP addresses in the Web Server List: If the IP addresses in the production area are different from the IP addresses in the staging area, modify the IP addresses to match the production area.

      • Certificates: If you have configured SSL or mutual SSL between the proxy service and the Web servers, configure the Web Server Trusted Root and SSL Mutual Certificate options. The export and import configuration option does not export and import certificates.

    5. Click OK > OK.

  5. (Conditional) If you have multiple reverse proxies, repeat Step 4 for each proxy service.

  6. On the Configuration page, click Reverse Proxy / Authentication, then select the Identity Server Cluster configuration.

  7. If you have multiple reverse proxies, verify that the Reverse Proxy value in the Embedded Service Provider section is the reverse proxy you want to use for authentication, then click OK twice.

  8. Click Access Gateways > Update.

  9. Click Identity Servers > Update.

    If your Identity Server does not prompt you for an update, complete the following steps to trigger the update:

    1. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.

    2. Set the Identity Server Cluster field to None, then click OK.

    3. Click Reverse Proxy / Authentication.

    4. Set the Identity Server Cluster field to the correct value, then click OK.

    5. Update the Access Gateway.

    6. Update the Identity Server.

  10. Configure the keystores for the Access Gateway.

    If you have configured the Access Gateway for SSL between the Identity Server and the Access Gateway and between the Access Gateway and the browsers, verify that the trust stores and the keystores contain the correct certificates.

    1. In the Administration Console, click Security > Certificates.

    2. Find the certificate for the Access Gateway.

      The subject name of this certificate should match the DNS name of the Access Gateway. If this certificate is not in the list, you need to create it or import it.

      This certificate should be in use by the ESP Mutual SSL and Proxy Key Store of the Access Gateway.

    3. If the certificate is not in use by the required keystores, select the certificate, then click Actions > Add Certificate to Keystores.

    4. Click the Select Keystore icon, select ESP Mutual SSL and Proxy Key Store of the Access Gateway, then click OK twice.

  11. Configure the trust stores for the Access Gateway.

    1. In the Administration Console, click Security > Certificates > Trusted Roots.

      The trusted root certificate of the CA that signed the Access Gateway certificate needs to be in the NIDP-truststore.

      The trusted root certificate of the CA that signed the Identity Server certificate, needs to be in the ESP Trust Store of the Access Gateway.

    2. If you need to add a trusted root to a trust store, select the trusted root, click Add Trusted Roots to Trust Stores.

    3. Click the Trust Store icon, select the required trust store, then click OK twice.

  12. If you made any keystore or trust store modifications, update the Access Gateway and the Identity Server.

  13. (Optional) Create a cluster configuration and add this server as the primary server.