Related Tips & Info

NAM4, enable multiple SSL certificates for domain based proxy services on the same reverse proxy

nsanson
0 Likes

When you define a reverse proxy with SSL support (Enable SSL between Browser and Access Gateway), you cannot specify a SSL certificate for each published dns name. So you have to define a unique certificate with a lot of Subject Alternative Names. If you want to handle your proxy services separately, each one with his certificate and without another SSL terminator in front of your MAG, follow this procedure.



1 - Go on your MAG via ssh and put your cert and key under:



SSLCertificateFile /opt/novell/apache2/certs



/opt/novell/apache2/certs/proxydnsname.crt

/opt/novell/apache2/certs/proxydnsname.key


2 - Via Access Manager Administration console go to:



Reverse Proxy Service: AG_Cluster - [https reverse proxy name] - [proxy service name] - Advanced Options

and put these lines

SSLCertificateFile /opt/novell/apache2/certs/proxydnsname.crt

SSLCertificateKeyFile /opt/novell/apache2/certs/proxydnsname.key


3 - Create the following file:



/etc/init.d/fixMultipleSSLCertificate.sh


#!/bin/bash

cd /etc/opt/novell/apache2/conf/vhosts.d/

for f in *.conf

do

if $(grep -ce '^\s*SSLCertificateFile' $f) -gt 1

then

#echo "$f found"

sed -ie '0,/Advanced Options/ s/ SSLCertificate/#SSLCertificate/' $f

fi

done



4 - Modify these parts of /etc/init.d/novell-apache2 (start option and reload option)



case "$1" in

start*)

echo -n "Starting Novell Gateway Service..."

if [ -e $PID_FILE ]; then

$0 status &>/dev/null

ret=$?

if [ $ret = 1 ]; then

echo "Warning: found stale pidfile (unclean shutdown?)"

elif [ $ret = 0 ]; then

echo "Novell Gateway Service is already running ($PID_FILE)"

rc_failed $ret

rc_status -v1

rc_exit

fi

fi


     /etc/init.d/fixMultipleSSLCertificate.sh

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

;;




reload|force-reload|graceful)

echo -n "Reloading Novell Gateway Service..."

 

if ! [ -f $PID_FILE ]; then

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval startproc -f $cmdline &> $LOGDIR/rc$PNAME.out; then

rc_status -v

else

rc_status -v

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

fi

else

cmdline="$APACHE_BIN $APACHE_OPTIONS"

if eval $cmdline -t &> $LOGDIR/rc$PNAME.out; then

 /etc/init.d/fixMultipleSSLCertificate.sh

killproc -USR1 $APACHE_BIN || return=$rc_failed

rc_status -v

else

echo -e -n "\nsee $LOGDIR/rc$PNAME.out for details\n";

rc_failed 6

rc_status -v1

fi

fi

;;


With these modifications you can put a certificate for each proxy service. If the certificate matches the published dns name, the browser will accept it without warnings.

Labels:

How To-Best Practice
Comment List
Anonymous
  • in reply to MigrationDeletedUser
    I think if you put the certificate inside the advanced configuration, it is only the Apache webserver making use of it. So it is not strictly needed that AM console knows it... it would the client browser the one checking the CSR when needed.
    But if you want you can to the CSR generation with AM, it is up to you.

    If you put even inside AM console the certificate, then you will have the plus of obtaining the certificate expiry date warning.

    I would insert the same certificate inside the Access Gateway Cluster Proxy Trust Store, just to keep track of it. In this case obviously the maintenance would be double...
  • To implement this, Will the CSR generation for each proxy service would be as we do normally from admin console? and if we are not importing the certificate in admin console but putting on AG server, will it work? Or along with these steps, we also need to import the certificate in admin console?(So that it will also indicate for certificate expiry date)
    Thanks!
  • in reply to jwcombs
    This is a limitation of NAM handling cookies, as it says if you try to do a virtual definition on a SSL proxy service:

    Domain-Based Multi-Homing requires the Published DNS Name to be in the Cookie Domain of the first Proxy Service

    We cannot do anything about this
  • This doesn't do quite what I was hoping it would. It does allow you to specify separate certificates for two domain names that share a common root. It does not allow you to add a completely separate domain to a single reverse proxy service. So domains with no common root still require a seperate IP or port.
  • Hopefully this capability will make it into the next release so we can do this directly from the admin console.
  • This looks useful , thanks for posting.
Related Discussions
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.