3.6 Managing Access Gateway Certificates

3.6.1 Managing Embedded Service Provider Certificates

The Access Gateway uses an Embedded Service Provider to communicate with the Identity Server. The Service Provider Certificates page allows you to view the private keys, certificate authority (CA) certificates, and certificate containers associated with this module. These keystores do not contain the certificates that the Access Gateway uses for SSL connections to browsers or to back-end Web servers.

To view or modify these certificates:

  1. In the Administration Console, click Devices > Access Gateways > Edit > Service Provider Certificates.

  2. Configure the following:

    Signing: The signing certificate keystore. Click this link to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.

    Trusted Roots: The trusted root certificate container for the CA certificates associated with the Access Gateway. Click this link to access the trust store, where you can add trusted roots to the container.

    The Embedded Service Provider must trust the certificate of the Identity Server that the Access Gateway has been configured to trust. The public certificate of the CA that generated the Identity Server certificate must be in this trust store. If you configured the Identity Server to use a certificate generated by a CA other than the Access Manager CA, you must add the public certificate of this CA to the Trusted Roots store. To import this certificate, click Trusted Roots, then in the Trusted Roots section, click Auto-Import From Server. Fill in the IP address or DNS name of your Identity Server and its port, then click OK.

    You can also auto import the Identity Server certificate by selecting the Auto-Import Identity Server Configuration Trusted Root option on the Reverse Proxies / Authentication page (click Devices > Access Gateways > Edit > Reverse Proxies / Authentication). With this option, you do not need to specify the IP address and port of the Identity Server.

  3. To save your changes to browser cache, click OK.

  4. To apply your changes, click the Access Gateways link, then click Update > OK.

3.6.2 Managing Reverse Proxy and Web Server Certificates

You select Access Gateway certificates on two pages in the Administration Console:

  • Devices > Access Gateways > Edit > [Name of Reverse Proxy]

  • Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers

When you configure certificates on these pages, you need to be aware that two phases are used to push the certificates into active use.

Phase 1: When you select a certificate on one of these pages, then click OK, the certificate is placed in the keystore on the Administration Console and it is pushed to the Access Gateway. The certificate is available for use, but it is not used until you update the Access Gateway.

Phase 2: When you select to update the Access Gateway, the configuration for the Access Gateway is modified to contain references to the new certificate and the configuration change is sent to the Access Gateway. The Access Gateway loads and uses the new certificate.