Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client can mention which hostname it is attempting to connect to at the start of the TLS handshaking process. This enables the server to select the correct virtual domain and corresponding TLS certificate at the very beginning of the process of establishing secure communication with the client.
The purpose of this document is to help users enabling SNI and getting benefits of it in secure TLS communication of Access Gateway (AG) (pre NAM 5.0). There are two such channels available at AG.
Detailed configuration/steps are mentioned in the following sections -
The scenario comes under this is where multiple domain-based proxy services are configured and SSL is enabled on corresponding Reverse proxy. Current out-of-box support is to use a single TLS certificate having CN with suitable wildcards. With single certificated, there is no scope for SNI. Also, no UI to add a separate certificate for each proxy service even though under the hood Apache 2.4 supports SNI.
To use a separate SSL certificate for each domain-based proxy service (not virtual proxy),
At a minimum, the file must include an end-entity certificate of proxy service and may contain complete chain of certificates up to root issuer certificate.
3. SSLCertificateChainFile <PEM-encoded Server CA Certificates full file-path>
This is optional. The file concatenate the certificates of Certification Authorities (CA), which form the certificate chain of the proxy service’s certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.(More details available at https://httpd.apache.org/docs/current/mod/mod_ssl.html)
4. Update AG server
Note: In case, NAM’s certificate management is used to create a certificate for proxy service, make sure to add the same certificate to "Proxy key store". The default location of AG key store is /opt/novell/apache2/certs/. E.g. if certificate name is “proxy_cert”, then corresponding entries in advance options are –
Considering SSL is on between proxy service and backend server, for SNI to work, the following configurations are required -
6. Update AG server