3.2 Using Access Manager Certificates

By default, all Access Manager components (Identity Server, Access Gateway, SSL VPN, and J2EE Agents) trust the local CA. However, the browsers are not set up to trust the Access Manager CA. You need to import the public key of the trusted root certificate (configCA) into the browsers to establish the trust.

This section discusses the following procedures:

3.2.1 Configuring Secure Communication on the Identity Server

The Identity Server comes with a the test-connector certificate. This procedure shows you how to replace this certificate by completing the following tasks:

  • Enable SSL on the Identity Server (changing from HTTP to HTTPS)

  • Create a certificate

  • Replace the test-connector certificate with the newly created certificate

To configure SSL on the Identity Server:

  1. In the Administration Console, click Access Manager > Identity Servers > Edit.

  2. Change Protocol to HTTPS (the system changes the port to 8443).

  3. Copy the domain name of your Identity Server configuration to the Clipboard, or take note of the name. It must match the common name of the new certificate.

  4. Click SSL Certificate, then click Replace.

  5. In the Replace dialog box, click the Select Certificate icon next to the Certificate field.

  6. On the Select Certificate page, click New.

  7. Click Use local certificate authority.

    This option creates a certificate signed by the local CA (or Organizational CA), and creates the private key.

  8. Fill in the following fields:

    Certificate name: The name that you can associate with this certificate. For easy reference, you might want to paste the domain name of the Identity Server configuration in this field.

    For information on how to modify the default values before clicking OK, see Creating Certificates in the Novell Access Manager 3.0 SP4 Administration Guide.

    Subject: Click the Edit Subject icon. In the Common Name field, paste the domain name of the base URL of the Identity Server configuration. This value cannot be an IP address or begin with a number, in order to ensure that trust does not fail between providers.

  9. Click OK.

  10. To accept the default values in the other fields, click OK twice.

    The new certificate is displayed on the Select Certificate page.

  11. Verify that the new certificate is selected, then click OK.

  12. Click OK on the Replace dialog box.

  13. Click Restart Now to restart Tomcat, as prompted.

  14. Click Close on the Keystore page.

    You should wait about thirty seconds for the restart. If your Identity Server and Administration Console are on the same machine, you need to log in to the Administration Console again.

  15. To update the Identity Server, click Access Manager > Identity Servers > Update.

  16. To update the embedded service provider of the Access Gateway to use the new URL, click Access Gateways > Update.

    This re-establishes the trust between the Access Gateway and the new base URL for the Identity Server.

  17. Verify that the trusted relationship between the Identity Server and the Access Gateway has been reestablished.

    1. Enter the URL to a protected resource on the Access Gateway.

    2. Complete one of the following:

3.2.2 Configuring the Access Gateway for SSL

This section describes how to set up SSL for the Access Gateway communication channels:

Configuring SSL Communication with the Browsers and the Identity Server

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy].

  2. To configure the reverse proxy for SSL, fill in the following fields:

    Enable SSL with Embedded Service Provider: Select this option to encrypt the data exchanged for authentication (the communication channel between the Identity Server and the Access Gateway). This option is only available for the reverse proxy that has been assigned to perform authentication.

    If you enable SSL between the browsers and the Access Gateway, this option is automatically selected for you. You can enable SSL with the embedded service provider without enabling SSL between the Access Gateway and the browsers. This allows the authentication and identity information that the Access Gateway and the Identity Server exchange to use a secure channel, but allows the Access Gateways to use non-secure channels with the browsers and the Web servers. This saves processing overhead if the data on the Web servers is not sensitive.

    Enable SSL between Browser and Access Gateway: Select this option to require SSL connections between your clients and the Access Gateway. SSL must be configured between the browsers and the Access Gateway before you can configure SSL between the Access Gateway and the Web servers. For this process, see Enabling SSL between the Reverse Proxy and Its Web Servers.

    Redirect Requests from Non-Secure Port to Secure Port: Determines whether browsers are redirected to the secure port and allowed to establish an SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service.

  3. To generate a certificate key by using the Access Manager CA:

    1. Click Auto-generate Key, then click OK twice.

    2. On the Select Certificate page, make sure the certificate is selected, then click OK.

      The generated certificate appears in the Server Certificate text box.

  4. Configure the ports for SSL:

    Non-Secure Port: Specifies the port on which to listen for HTTP requests. The default port for HTTP is 80. If you have selected the Redirect Requests from Non-Secure Port to Secure Port option, requests sent to this port are redirected to the secure port. If the browser can establish an SSL connection, the session continues on the secure port. If the browser cannot establish an SSL connection, the session is terminated.

    Secure Port: Specifies the port on which to listen for HTTPS requests (which is usually 443). This port needs to match the configuration for SSL. If SSL is enabled, this port is used for all communication with the browsers. The listening address and port combination must not match any combination you have configured for another reverse proxy or tunnel.

  5. In the Proxy Service List, click [Name of Proxy Service] > Protected Resources.

  6. In the Protected Resource List, change the Contract assignments from HTTP contracts to HTTPS contracts.

    For example, if a protected resource is using the Name/Password - Basic contract, click the name and change it to the Secure Name/Password - Basic or the Secure Name/Password - Form contract. Then click OK.

    To enable single sign-on, select the same contract for all the protected resources.

  7. Click Configuration Panel, then in the confirmation box, click OK.

  8. On the Server Configuration page, click OK.

  9. On the Access Gateways page, click Update > OK.

  10. Update the Identity Server so that it uses the new SSL configuration. Click Identity Servers > Update.

  11. Verify that the trusted relationship between the Identity Server and the Access Gateway has been reestablished:

    1. Enter the URL to a protected resource on the Access Gateway. For example, enter

      https://www.mytest.com

    2. Complete one of the following:

Enabling SSL between the Reverse Proxy and Its Web Servers

To enable SSL between the reverse proxy and the Web servers, you must have already performed the following tasks:

  • Enabled SSL between the Access Gateway and the browsers. See Section 1.4.1, Configuring a Reverse Proxy and select the Enable SSL between Browser and Access Gateway field.

  • Enabled SSL on the Web server. See your Web server documentation.

If you have completed these tasks:

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

  2. To configure SSL, select Connect Using SSL.

    This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Section 1.4.1, Configuring a Reverse Proxy and select the Enable SSL between Browser and Access Gateway field.

  3. In the Connect Port field, specify the port that your Web server uses for SSL communication.

  4. Configure how you want the certificate verified. The Access Gateway platforms support different options:

    1. (Conditional) If you are configuring a Linux Access Gateway, select one of the following options:

      • To not verify this certificate, select Do not verify for the Web Server Trusted Root. Continue with Step 9.

      • To allow the certificate to match any certificate in the trust store, select Any in Reverse Proxy Trust Store for the Web Server Trusted Root. Continue with Step 9.

      • To add a certificate to the trust store for the Web server, click the Manage Reverse Proxy Trust Store icon. Continue with Step 4.c.

    2. (Conditional) If you are configuring a NetWare® Access Gateway, all the certificates in the certificate chain of the Web server must be in its trust store. To add these certificates to the trust store, click Any in Reverse Proxy Trust Store. Continue with Step 4.c.

    3. The auto import screen appears.

  5. Ensure that the IP address of the Web server and the port match your Web server configuration.

    If these values are wrong, you have entered them incorrectly on the Web server page. Click Cancel and reconfigure them before continuing.

  6. Click OK.

    Wait while the Access Gateway retrieves the server certificate, the root CA certificate, and any CA certificates from a chain from the Web server.

  7. Specify an alias, then click OK.

    All the displayed certificates are added to the trust store.

  8. Click Close.

  9. (Optional) For mutual authentication, the Access Gateway platforms support different options:

    1. (Conditional) If you are configuring a Linux Access Gateway, you need to select the certificate. Click the Select Certificate icon, select the certificate you created for the reverse proxy, then click OK.

      This is only part of the process. You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the Web servers assigned to this proxy service.

    2. (Conditional) If you are configuring a NetWare Access Gateway, the text box displays the certificate that is sent to the Web server if the Web server requires it. If the Web server is not set up for mutual SSL, the certificate is not sent.

      To set up the Web server for mutual SSL, you need to import the trusted root certificate of the CA that signed the certificate displayed in the text box.

  10. Click Configuration Panel, then click OK.

  11. On the Configuration page, click OK.

  12. On the Access Gateways page, click Update.

  13. (Optional). To test this configuration from a client browser:

    1. Enter the published DNS name as the URL in the browser.

    2. Click the links that require authentication for access.