SSL must be enabled between the Access Gateway and the browsers before you can enable it between the Access Gateway and its Web servers.
In the Administration Console, click
> > > > > .To configure SSL, select
.This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Section 3.3, Configuring SSL Communication with the Browsers and the Identity Server and select the field.
Configure how you want the proxy service to verify the Web server certificate:
Select one of the following options:
To not verify this certificate, select
for the option.Use this option when you want the information between the Access Gateway and the Web server encrypted, but you don’t need the added security of verifying the Web server certificate.
Continue with Step 4.
To verify the certificate authority of the Web server certificate, select
. When this option is selected, the public certificate of the certificate authority must be added to the proxy trust store.IMPORTANT:For an Access Gateway Service, this option is a global option. If you select this option for one proxy service, all proxy services on an Access Gateway Service are flagged to verify the public certificate. This verification is done even when other proxy services are set to
.If the Web server certificate is part of a chain of certificates, you need to enable the Section 1.1.3, Configuring Advanced Options for a Domain-Based Proxy Service.
option and specify how many certificates are in the chain. For more information about this option, seeClick the
icon. The auto import screen appears.If the Access Gateway is a member of a cluster, the cluster members are listed. The Web server certificate is imported into the trust stores of each cluster member.
Ensure that the IP address of the Web server and the port match your Web server configuration.
If these values are wrong, you have entered them incorrectly on the Web server page. Click
and reconfigure them before continuing.Click
.The server certificate, the Root CA certificate, and any certificate authority (CA) certificates from a chain are listed.
If the whole chain is not displayed, import what is displayed. You then need to manually import the missing parents in the chain. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN.
Specify an alias, then click
.All the displayed certificates are added to the trust store.
Click
.(Optional) Set up mutual authentication so that the Web server can verify the proxy service certificate:
Click the
icon,Select the certificate you created for the reverse proxy, then click
.This is only part of the process. You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the Web servers assigned to this proxy service. For instructions, see your Web server documentation.
In the
field, specify the port that your Web server uses for SSL communication. The following table lists some common servers and their default ports.To save your changes to browser cache, click
.To apply your changes, click the
link, then click > .