This section explains how to enable SSL communication between Access Gateway and the browsers (channel 4 in Figure 20-1).
Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].
Configure the reverse proxy for SSL by filling in the following fields:
Enable SSL with Embedded Service Provider: Select this option to encrypt the data exchanged for authentication (the communication channel between Identity Server and Access Gateway). This option is available only for the reverse proxy that has been assigned to perform authentication.
If you enable SSL between the browsers and Access Gateway, this option is automatically selected for you. You can enable SSL with the Embedded Service Provider without enabling SSL between Access Gateway and the browsers. This allows the authentication and identity information that Access Gateway and Identity Server exchange to use a secure channel, but allows the data that Access Gateways retrieves from the back-end web servers and sends to users to use a non-secure channel. This saves processing overhead if the data on the web servers is not sensitive.
Enable SSL between Browser and Access Gateway: Select this option to require SSL connections between your clients and Access Gateway. SSL must be configured between the browsers and Access Gateway before you can configure SSL between Access Gateway and the web servers.
Redirect Requests from Non-Secure Port to Secure Port: Determines whether browsers are redirected to the secure port and allowed to establish an SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service.
This option is only available if you have selected Enable SSL with Embedded Service Provider.
Select the certificate to use for SSL between Access Gateway and browsers. Select one of the following methods:
To auto-generate a certificate key by using the Access Manager CA, click Auto-generate Key, then click OK twice. The generated certificate appears in the Server Certificate text box.
The generated certificate uses the published DNS name of the first proxy service for the Subject name of the certificate. If there is more than one proxy service, the CA generates a wildcard certificate (*.Cookie Domain).
If you have not created a proxy service for this reverse proxy, wait until you have created a proxy service before generating the key. This allows the CN in the Subject field of the certificate to match the published DNS name of the proxy service.
To select a certificate, click the Select Certificate icon, select the certificate you have created for the DNS name of your proxy service, then click OK. The certificate appears in the Server Certificate text box. For SSL to work, the CN in the Subject field of the certificate must match the published DNS name of the proxy service.
(Conditional) If you selected a certificate in Step 3 that was created by an external CA, click Auto-Import Embedded Service Provider Trusted Root > OK > specify an alias name > OK > > Close.
This option imports the public key from the Embedded Service Provider into the trust store of Identity Servers in the selected Identity Server Configuration. This sets up a trusted SSL relationship between Identity Server and ESP.
If you are using certificates signed by the Access Manager CA, the public key is automatically added to this trust store.
Configure the ports for SSL:
Non-Secure Port: Specifies the port on which to listen for HTTP requests. The default port for HTTP is 80.
If you selected the Redirect Requests from Non-Secure Port to Secure Port option, requests sent to this port are redirected to the secure port. If the browser can establish an SSL connection, the session continues on the secure port. If the browser cannot establish an SSL connection, the session is terminated.
If you do not select the Redirect Requests from Non-Secure Port to Secure Port option, this port is not used when SSL is enabled.
IMPORTANT:If you select not to redirect HTTP requests (port 80) and your Access Gateway has only one IP address, do not use port 80 to configure another reverse proxy. Although it is not used, it is reserved for this reverse proxy.
Secure Port: Specifies the port on which to listen for HTTPS requests (usually 443). This port needs to match the configuration for SSL. If SSL is enabled, this port is used for all communication with the browsers. The listening address and port combination must not match any combination you have configured for another reverse proxy or tunnel.
Click OK.
On the Configuration page, click Reverse Proxy / Authentication.
(Conditional) If you are using an externally signed certificate for Identity Server cluster, you need to import the public key of the CA:
In the Embedded Service Provider section, click Auto-Import Identity Server Trusted Root, then click OK.
Specify an alias, click OK twice, then click Close.
This option imports the public key of Identity Server into the trust store of the Embedded Service Provider. This sets up a trusted SSL relationship between the Embedded Service Provider and Identity Server.
The configCA public key certificate of the Access Manager CA is automatically added to the ESP Trust Store. If you are using Access Manager CA certificates for Identity Server, you do not need to import the configCA certificate unless someone has deleted it from this trust store.
Click OK.
On the Server Configuration page, click OK.
On Access Gateways page, click Update > OK.
ESP is restarted during the update.
Update Identity Server so that it uses the new SSL configuration. Click Identity Servers > Update.
Verify that the trusted relationship between Identity Server and Access Gateway has been reestablished.
Enter the URL to a protected resource on Access Gateway.
Complete one of the following:
If you are prompted for login credentials, enter them. The trusted relationship has been reestablished.
If you receive a 100101043 or 100101044 error, the trusted relationship has not been established. For information about how to solve this problem, see Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors.