Novell Home

SSL-izing Traffic from Access Gateway to the SSL VPN Server

Novell Cool Solutions: Feature
By Chendil Kumar

Digg This - Slashdot This

Posted: 6 Dec 2006
 

Introduction

Novell Access Manager 3.0 is a comprehensive access control solution. It provides seamless, single sign-on across technical and organizational boundaries, based on access control and identity Federation standards. This product combines advanced capabilities such as multi-factor authentication, data encryption, clientless single sign-on and SSL VPN for secure access from any location, coupled with simplified deployment and administration.

The Novell SSL VPN is designed to provide secure access to non-HTTP based applications inside a corporate network. It is combined with the powerful Identity services of Novell Access Manager to provide authentication and secure access to resources. The Novell SSL VPN consists of a Tomcat Servlet that accepts browser requests through the Access Gateway and handles client sessions.

The Novell SSL VPN listens by default on HTTP Port 8080, a non-secure port. But a Web server listening on HTTPS is always desirable, because it is secure. This appnote describes steps to configure the SSL VPN Server to listen on Tomcat HTTPS Port 8443 and configure Access Gateway and SSL VPN to communicate using HTTPS.

Configuring the Secure Socket

To enable the Novell Access Manager 3.0 SSL VPN and the Access Gateway to communicate using HTTPS, you must modify the secure socket in the server.xml file. The configuration steps differ, depending on whether the Novell Access Manager 3.0 SSL VPN and Access Gateway are installed on the same machine or on different machines.

Figure 1 - SSL connection

Scenario 1: SSL VPN Server and Access Gateway Installed on Different Machines

If the SSL VPN server and the Access Gateway are installed on different machines, configure the secure socket in the server.xml file as follows:

1. Open a terminal window.

2. Log in to SLES 9 as the root user.

3. Open the following file:

/var/opt/novell/tomcat4/conf/conf/server.xml

The default server.xml file includes an example <Connector> element for an SSL connector as follows:

<-- Define an SSL HTTP/1.1 Connector on port 8443 -->

<!--

<Connector className="org.apache.catalina.connector.http.HttpConnector"

           port="8443" minProcessors="5" maxProcessors="75"

           enableLookups="true"

           acceptCount="10" debug="0" scheme="https" secure="true">

  <Factory className="org.apache.catalina.net.SSLServerSocketFactory"

           clientAuth="false" protocol="TLS"/>

</Connector>

-->

4. Uncomment the <connector> element. The <connector> element is commented out by default.

5. The port attribute is the TCP/IP port number on which Tomcat listens to, for secure connections. The default port value is 8443.

6. Restart Tomcat by entering the following command:

/etc/init.d/novell-tomcat4 restart

7.Check the status by entering the following command:

netstat -antpl | grep 8443

The output should display this:

tcp        0      0 :::8443                 :::*                    LISTEN

Scenario 2: SSL VPN and Linux Access Gateway Installed On the Same Machine

If SSL VPN server and Linux Access Gateway are installed on the same machine, configure the secure socket in the server.xml file as follows:

1. Open a terminal window.

2. Log in as the root user.

3. Enter the following command:

keytool -genkey -alias tomcat -keyalg RSA  -keystore /var/opt/novell/novlwww/

4. Specify the keystore password when prompted. The default password used by Tomcat is "changeit" (all lowercase).

5. Specify the general information about the certificate, such as the company name and contact name, when prompted. This information is displayed to the users who attempt to access a secure page in your application, so make sure that the information provided here matches the users' expectations.

6. Specify the Key password as "changeit" (all lowercase), when prompted.

On successful configuration, you will get a keystore file with a Certificate in

/var/opt/novell/novlwww/

7. Open the following file:

/var/opt/novell/tomcat4/conf/conf/server.xml

An example <Connector< element for an SSL connector is included in the default server.xml file installed withTomcat, as follows:

<-- Define an SSL HTTP/1.1 Connector on port 8443 -->

<!--

<Connector className="org.apache.catalina.connector.http.HttpConnector"

           port="8443" minProcessors="5" maxProcessors="75"

           enableLookups="true"

           acceptCount="10" debug="0" scheme="https" secure="true">

  <Factory className="org.apache.catalina.net.SSLServeSocketFactory"

           clientAuth="false" protocol="TLS"/>

</Connector>

-->

8. Uncomment the <connector> file. The <Connector> element is commented out by default.

9. The port attribute is the TCP/IP port number, where Tomcat will listen for secure connections. The default port value is 8443.

10.Restart the Tomcat after modifying, by entering the following command: /etc/init.d/novell-tomcat4 restart

11.Check the status by entering the following command:

netstat -antpl | grep 8443

The output should display this:

tcp        0      0 :::8443                 :::*                    LISTEN

Configuring the SSL-izer between Access Gateway and SSL VPN

The Certificate for the SSL VPN Tomcat Server should be propagated to the Access Gateway, in order to configure SSL VPN. For information on the configuration, see:
http://www.novell.com/documentation/novellaccessmanager/index.html

Figure 2 - Web Server SSL configuration

Conclusion

The SSL VPN server can be configured to listen to the 8443 port by modifying the server.xml file and by configuring the SSL-izer between the Access Gateway and the SSL VPN Server. Hence, the Novell Access Manager 3.0 SSL VPN and the Access Gateway can be configured for secure HTTPS communication.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell