Prerequisites For Ssl; Section 3.2, "Prerequisites For Ssl - Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual

When a user logs in to the Identity Server, the Identity Server verifies the user's credentials, usually
with the credentials stored in an LDAP directory, but other methods are available. If the login is
successful, the Identity Server sends an artifact to the browser, and the browser forwards it to the
Access Gateway. The Access Gateway uses the artifact to retrieve the user's name and password
from the Identity Server. The Access Gateway and Identity Server channel is probably the first
communication channel you should enable for SSL. The Access Gateway uses an Embedded
Service Provider to communicate with the Identity Server. When you enable SSL between the two,
the Access Manager distributes the necessary certificates to set up SSL. However, if you have
configured the Identity Server to use certificates from an external certificate authority (CA), you
need to import the public certificate of this CA into the trust store of the Access Gateway. If you
have set up the Access Gateway to use a certificate from an external CA, you need to import the
public certificate of this CA into the trust store of the Identity Server.
SSL must be enabled between the Access Gateway and the browsers before you can enable SSL
between the Access Gateway and its Web servers. If you enable SSL between the Access Gateway
and the browsers, SSL is automatically enabled for the Access Gateway Embedded Service Provider
that communicates with the Identity Server. After you have enabled SSL between the Access
Gateway and the browsers, you can select whether to enable SSL between the Access Gateway and
the Web servers. By not enabling SSL to the Web servers, you can save processing overhead if the
data on the Web servers is not sensitive or if it is already sufficiently protected.
Whether you need the added security of SSL or mutual SSL between the Access Gateway and its
Web servers depends upon how you have set up your Web servers.
You should enable at least SSL if the Access Gateway is injecting authentication credentials
into HTTP headers.
Mutual SSL is probably not needed if you have configured the Web servers so that they can
only accept connections with the Access Gateway.

3.2 Prerequisites for SSL

The following SSL configuration instructions assume that you have already created or imported the
certificate that you are going to use for SSL. This certificate must have a subject name (cn) that
matches the published DNS name of the proxy service that you are going to use for authentication.
You can obtain this certificate one of two ways:
You can use the Access Manager CA to create this certificate. See
Certificate" in the
You can create a certificate signing request (CSR), send it to an external CA, then import the
returned certificates into Access Manager. See
"Importing Public Key Certificates (Trusted
Administration Console
110 Novell Access Manager 3.1 SP2 Access Gateway Guide
Novell Access Manager 3.1 SP2 Administration Console
Guide.
"Creating a Locally Signed
"Generating a Certificate Signing
Roots)" in the Novell Access Manager 3.1 SP2
Guide.
Request" and