Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
When you define a reverse proxy with SSL support (Enable SSL between Browser and Access Gateway), you cannot specify a SSL certificate for each published dns name. So you have to define a unique certificate with a lot of Subject Alternative Names. If you want to handle your proxy services separately, each one with his certificate and without another SSL terminator in front of your MAG, follow this procedure.
SSLCertificateFile /opt/novell/apache2/certs
/opt/novell/apache2/certs/proxydnsname.crt
/opt/novell/apache2/certs/proxydnsname.key
SSLCertificateFile /opt/novell/apache2/certs/proxydnsname.crt
SSLCertificateKeyFile /opt/novell/apache2/certs/proxydnsname.key
/etc/init.d/fixMultipleSSLCertificate.sh
#!/bin/bash
cd /etc/opt/novell/apache2/conf/vhosts.d/
for f in *.conf
do
if $(grep -ce '^\s*SSLCertificateFile' $f) -gt 1
then
#echo "$f found"
sed -ie '0,/Advanced Options/ s/ SSLCertificate/#SSLCertificate/' $f
fi
done
case "$1" in
start*)
echo -n "Starting Novell Gateway Service..."
if [ -e $PID_FILE ]; then
$0 status &>/dev/null
ret=$?
if [ $ret = 1 ]; then
echo "Warning: found stale pidfile (unclean shutdown?)"
elif [ $ret = 0 ]; then
echo "Novell Gateway Service is already running ($PID_FILE)"
rc_failed $ret
rc_status -v1
rc_exit
fi
fi
/etc/init.d/fixMultipleSSLCertificate.sh
cmdline="$APACHE_BIN $APACHE_OPTIONS"
if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then
rc_status -v
else
rc_status -v
echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";
fi
;;
reload|force-reload|graceful)
echo -n "Reloading Novell Gateway Service..."
if ! [ -f $PID_FILE ]; then
cmdline="$APACHE_BIN $APACHE_OPTIONS"
if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then
rc_status -v
else
rc_status -v
echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";
fi
else
cmdline="$APACHE_BIN $APACHE_OPTIONS"
if eval $cmdline -t &> $LOGDIR/rc$PNAME.out; then
/etc/init.d/fixMultipleSSLCertificate.sh
killproc -USR1 $APACHE_BIN || return=$rc_failed
rc_status -v
else
echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";
rc_failed 6
rc_status -v1
fi
fi
;;
With these modifications you can put a certificate for each proxy service. If the certificate matches the published dns name, the browser will accept it without warnings.