The following SSL configuration instructions assume that you have already created or imported the certificate that you are going to use for SSL. This certificate must have a subject name (cn) that matches the published DNS name of the proxy service that you are going to use for authentication. You can obtain this certificate one of two ways:
You can use the Access Manager CA to create this certificate. See Creating a Locally Signed Certificate
in the Novell Access Manager 3.1 SP2 Administration Console Guide.
You can create a certificate signing request (CSR), send it to an external CA, then import the returned certificates into Access Manager. See Generating a Certificate Signing Request
and Importing Public Key Certificates (Trusted Roots)
in the Novell Access Manager 3.1 SP2 Administration Console Guide.
If you are going to set up SSL communication between the Identity Server and the Access Gateway for authentication and you have configured the Identity Server to use certificates created by an external CA, you need to import the public certificate of this CA into the trusted root keystore of the Access Gateway.
If you haven’t already imported the public certificate of this CA into the trusted root store of the Identity Server, do so now. For instructions, see Importing Public Key Certificates (Trusted Roots)
in the Novell Access Manager 3.1 SP2 Administration Console Guide.
To add the public certificate to the Access Gateway:
In the Administration Console, click > > > >
In the section, click .
Click the icon, select the public certificate of the CA that signed the Identity Server certificates, then click .
Specify an alias, then click twice.
To apply the changes, click , then click on the Access Gateways page.
If you are going to set up SSL between the Access Gateway and the Web servers, you need to configure your Web servers for SSL. Your Web servers must supply a certificate that clients (in this case, the Access Gateway) can import. See your Web server documentation for information on how to configure the Web server for SSL.
For mutual SSL, the proxy service must supply a certificate that the Web server can trust. This certificate can be the same one you use for SSL between the browsers and the reverse proxy.