Access Gateway and SNI support

0 Likes
over 1 year ago

Introduction

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client can mention which hostname it is attempting to connect to at the start of the TLS handshaking process. This enables the server to select the correct virtual domain and corresponding TLS certificate at the very beginning of the process of establishing secure communication with the client.

The purpose of this document is to help users enabling SNI and getting benefits of it in secure TLS communication of Access Gateway (AG) (pre NAM 5.0). There are two such channels available at AG.

  1. Between browser and AG.
  2. Between AG and backend webserver.

Detailed configuration/steps are mentioned in the following sections -

Case 1: SNI between browser and AG

The scenario comes under this is where multiple domain-based proxy services are configured and SSL is enabled on corresponding Reverse proxy. Current out-of-box support is to use a single TLS certificate having CN with suitable wildcards. With single certificated, there is no scope for SNI. Also, no UI to add a separate certificate for each proxy service even though under the hood Apache 2.4 supports SNI.

To use a separate SSL certificate for each domain-based proxy service (not virtual proxy),

  1. Go to Advanced Options for a Domain-Based proxy service
  2. Add the following two options –
    • SSLCertificateFile <PEM-encoded X.509 certificate full file-path>

At a minimum, the file must include an end-entity certificate of proxy service and may contain  complete chain of certificates up to root issuer certificate.

3. SSLCertificateChainFile <PEM-encoded Server CA Certificates full file-path>

This is optional. The file concatenate the certificates of Certification Authorities (CA), which form the certificate chain of the proxy service’s certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.(More details available at https://httpd.apache.org/docs/current/mod/mod_ssl.html)

4. Update AG server

Note: In case, NAM’s certificate management is used to create a certificate for proxy service, make sure to add the same certificate to "Proxy key store". The default location of AG key store is /opt/novell/apache2/certs/. E.g. if certificate name is “proxy_cert”, then corresponding entries in advance options are –

SSLCertificateFile /opt/novell/apache2/certs/proxy_cert.pem
SSLCertificateChainFile /opt/novell/apache2/certs/proxy_cert.pem
Case 2: SNI between AG and backend webserver

Considering SSL is on between proxy service and backend server, for SNI to work, the following configurations are required -

  1. ClickAccess Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.
  2. Set Web Server Host Name to DNS name of the backend web server. This should match the server name of the backend name virtual host whose TLS certificate is used for secure communication.
  3. Set Web Server Trusted Root to Any in Reverse Proxy Trust Store. User must add the public certificate of the certificate authority backend webserver’s TLS certificate to the proxy trust store.
  4. Optionally, Set Web Server List to DNS name of the backend web server.
  5. Optionally, advanced option SSLProxyVerifyDepth may need to set if the default value is not good enough. Check user doc Configuring Global Advanced Options  for more info

      6. Update AG server

Labels:

Support Tip
How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended