14.4 Configuring SSL between the Proxy Service and the Web Servers

SSL must be enabled between the Access Gateway and the browsers before you can enable it between the Access Gateway and its Web servers.

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

    Configuring SSL to the Web Servers

  2. To configure SSL, select Connect Using SSL.

    This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Section 14.3, Configuring SSL Communication with the Browsers and the Identity Server and select the Enable SSL between Browser and Access Gateway field.

  3. In the Connect Port field, specify the port that your Web server uses for SSL communication. The following table lists some common servers and their default ports.

    Server Type

    Non-Secure Port

    Secure Port

    Web server with HTML content

    80

    443

    SSL VPN

    8080

    8443

    WebSphere

    9080

    9443

    JBoss

    8080

    8443

  4. Configure how you want the certificate verified. The Access Gateway platforms support different options:

    1. (Conditional) If you are configuring a Linux Access Gateway, select one of the following options:

      • To not verify this certificate, select Do not verify for the Web Server Trusted Root. Continue with Step 9.

      • To allow the certificate to match any certificate in the trust store, select Any in Reverse Proxy Trust Store for the Web Server Trusted Root. Continue with Step 9.

      • To add a certificate to the trust store for the Web server, click the Manage Reverse Proxy Trust Store icon. Continue with Step 4.c.

    2. (Conditional) If you are configuring a NetWare® Access Gateway, all the certificates in the certificate chain of the Web server must be in its trust store. To add these certificates to the trust store, click Any in Reverse Proxy Trust Store. Continue with Step 4.c.

    3. The auto import screen appears.

      Importing a certificate into the proxy trust store

      If the Access Gateway is a member of a cluster, the cluster members are listed. The Web server certificate is imported into the trust stores of each cluster member.

  5. Ensure that the IP address of the Web server and the port match your Web server configuration.

    If these values are wrong, you have entered them incorrectly on the Web server page. Click Cancel and reconfigure them before continuing.

  6. Click OK.

    The server certificate, the Root CA certificate, and any certificate authority (CA) certificates from a chain are listed.

    If the whole chain is not displayed, import what is displayed. You then need to manually import the missing parents in the chain. A parent is missing if the chain does not include a certificate where the Subject and the Issuer have the same CN.

  7. Specify an alias, then click OK.

    All the certificates displayed are added to the trust store.

  8. Click Close.

  9. (Optional) For mutual authentication, the Access Gateway platforms support different options:

    1. (Conditional) If you are configuring a Linux Access Gateway, you need to select the certificate. Click the Select Certificate icon, select the certificate you created for the reverse proxy, then click OK.

      This is only part of the process. You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the Web servers assigned to this proxy service. For instructions, see your Web server documentation.

    2. (Conditional) If you are configuring a NetWare Access Gateway, the text box displays the certificate that is sent to the Web server if the Web server requires it. If the Web server is not set up for mutual SSL, the certificate is not sent.

      To set up the Web server for mutual SSL, you need to import the trusted root certificate of the CA that signed the certificate displayed in the text box. For instructions, see your Web server documentation.

  10. To save your changes to browser cache, click OK.

  11. To apply your changes, click the Access Gateways link, then click Update > OK.