NAM4, enable multiple SSL certificates for domain based proxy services on the same reverse proxy

0 Likes

When you define a reverse proxy with SSL support (Enable SSL between Browser and Access Gateway), you cannot specify a SSL certificate for each published dns name. So you have to define a unique certificate with a lot of Subject Alternative Names. If you want to handle your proxy services separately, each one with his certificate and without another SSL terminator in front of your MAG, follow this procedure.



1 - Go on your MAG via ssh and put your cert and key under:



SSLCertificateFile /opt/novell/apache2/certs



/opt/novell/apache2/certs/proxydnsname.crt

/opt/novell/apache2/certs/proxydnsname.key


2 - Via Access Manager Administration console go to:



Reverse Proxy Service: AG_Cluster - [https reverse proxy name] - [proxy service name] - Advanced Options

and put these lines

SSLCertificateFile /opt/novell/apache2/certs/proxydnsname.crt

SSLCertificateKeyFile /opt/novell/apache2/certs/proxydnsname.key


3 - Create the following file:



/etc/init.d/fixMultipleSSLCertificate.sh


#!/bin/bash

cd /etc/opt/novell/apache2/conf/vhosts.d/

for f in *.conf

do

if $(grep -ce '^\s*SSLCertificateFile' $f) -gt 1

then

#echo "$f found"

sed -ie '0,/Advanced Options/ s/ SSLCertificate/#SSLCertificate/' $f

fi

done



4 - Modify these parts of /etc/init.d/novell-apache2 (start option and reload option)



case "$1" in

start*)

echo -n "Starting Novell Gateway Service..."

if [ -e $PID_FILE ]; then

$0 status &>/dev/null

ret=$?

if [ $ret = 1 ]; then

echo "Warning: found stale pidfile (unclean shutdown?)"

elif [ $ret = 0 ]; then

echo "Novell Gateway Service is already running ($PID_FILE)"

rc_failed $ret

rc_status -v1

rc_exit

fi

fi


/etc/init.d/fixMultipleSSLCertificate.sh

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

;;




reload|force-reload|graceful)

echo -n "Reloading Novell Gateway Service..."

 

if ! [ -f $PID_FILE ]; then

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

else

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval $cmdline -t &> $LOGDIR/rc$PNAME.out; then

/etc/init.d/fixMultipleSSLCertificate.sh

killproc -USR1 $APACHE_BIN || return=$rc_failed

rc_status -v

else

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

rc_failed 6

rc_status -v1

fi

fi

;;


With these modifications you can put a certificate for each proxy service. If the certificate matches the published dns name, the browser will accept it without warnings.

Labels:

How To-Best Practice
Comment List
Related
Recommended