NAM4, enable multiple SSL certificates for domain based proxy services on the same reverse proxy

0 Likes

over 8 years ago

When you define a reverse proxy with SSL support (Enable SSL between Browser and Access Gateway), you cannot specify a SSL certificate for each published dns name. So you have to define a unique certificate with a lot of Subject Alternative Names. If you want to handle your proxy services separately, each one with his certificate and without another SSL terminator in front of your MAG, follow this procedure.

1 - Go on your MAG via ssh and put your cert and key under:

SSLCertificateFile /opt/novell/apache2/certs

/opt/novell/apache2/certs/proxydnsname.crt

/opt/novell/apache2/certs/proxydnsname.key

2 - Via Access Manager Administration console go to:

Reverse Proxy Service: AG_Cluster - [https reverse proxy name] - [proxy service name] - Advanced Options

and put these lines

SSLCertificateFile /opt/novell/apache2/certs/proxydnsname.crt

SSLCertificateKeyFile /opt/novell/apache2/certs/proxydnsname.key

3 - Create the following file:

/etc/init.d/fixMultipleSSLCertificate.sh

#!/bin/bash

cd /etc/opt/novell/apache2/conf/vhosts.d/

for f in *.conf

do

if $(grep -ce '^\s*SSLCertificateFile' $f) -gt 1

then

#echo "$f found"

sed -ie '0,/Advanced Options/ s/ SSLCertificate/#SSLCertificate/' $f

fi

done

4 - Modify these parts of /etc/init.d/novell-apache2 (start option and reload option)

case "$1" in

start*)

echo -n "Starting Novell Gateway Service..."

if [ -e $PID_FILE ]; then

$0 status &>/dev/null

ret=$?

if [ $ret = 1 ]; then

echo "Warning: found stale pidfile (unclean shutdown?)"

elif [ $ret = 0 ]; then

echo "Novell Gateway Service is already running ($PID_FILE)"

rc_failed $ret

rc_status -v1

rc_exit

fi

fi


     /etc/init.d/fixMultipleSSLCertificate.sh

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

;;




reload|force-reload|graceful)

echo -n "Reloading Novell Gateway Service..."

 

if ! [ -f $PID_FILE ]; then

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

else

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval $cmdline -t &> $LOGDIR/rc$PNAME.out; then

 /etc/init.d/fixMultipleSSLCertificate.sh

killproc -USR1 $APACHE_BIN || return=$rc_failed

rc_status -v

else

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

rc_failed 6

rc_status -v1

fi

fi

;;

With these modifications you can put a certificate for each proxy service. If the certificate matches the published dns name, the browser will accept it without warnings.

Tags:

proxy

SSL

Certificates

Labels:

How To-Best Practice

Comment List

nsanson over 6 years ago in reply to MigrationDeletedUser

I think if you put the certificate inside the advanced configuration, it is only the Apache webserver making use of it. So it is not strictly needed that AM console knows it... it would the client browser the one checking the CSR when needed.
But if you want you can to the CSR generation with AM, it is up to you.

If you put even inside AM console the certificate, then you will have the plus of obtaining the certificate expiry date warning.

I would insert the same certificate inside the Access Gateway Cluster Proxy Trust Store, just to keep track of it. In this case obviously the maintenance would be double...
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
MigrationDeletedUser over 6 years ago

To implement this, Will the CSR generation for each proxy service would be as we do normally from admin console? and if we are not importing the certificate in admin console but putting on AG server, will it work? Or along with these steps, we also need to import the certificate in admin console?(So that it will also indicate for certificate expiry date)
Thanks!
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
MigrationDeletedUser over 7 years ago in reply to jwcombs

This is a limitation of NAM handling cookies, as it says if you try to do a virtual definition on a SSL proxy service:

Domain-Based Multi-Homing requires the Published DNS Name to be in the Cookie Domain of the first Proxy Service

We cannot do anything about this
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
jwcombs over 7 years ago

This doesn't do quite what I was hoping it would. It does allow you to specify separate certificates for two domain names that share a common root. It does not allow you to add a completely separate domain to a single reverse proxy service. So domains with no common root still require a seperate IP or port.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
jwcombs over 8 years ago

Hopefully this capability will make it into the next release so we can do this directly from the admin console.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
MigrationDeletedUser over 8 years ago

This looks useful , thanks for posting.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel

Recommended

Menu

NetIQ Access Manager