Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual page 113

3 Select the certificate to use for SSL between the Access Gateway and the browsers. Select one
of the following methods:
To auto-generate a certificate key by using the Access Manager CA, click Auto-generate
Key, then click OK twice. The generated certificate appears in the Server Certificate text
box.
The generated certificate uses the published DNS name of the first proxy service for the
Subject name of the certificate. If there is more than one proxy service, the CA generates a
wildcard certificate (*.Cookie Domain).
If you have not created a proxy service for this reverse proxy, wait until you have created
a proxy service before generating the key. This allows the CN in the Subject field of the
certificate to match the published DNS name of the proxy service.
To select a certificate, click the Select Certificate icon, select the certificate you have
created for the DNS name of your proxy service, then click OK. The certificate appears in
the Server Certificate text box. For SSL to work, the CN in the Subject field of the
certificate must match the published DNS name of the proxy service.
4 (Conditional) If you selected a certificate in
Auto-Import Embedded Service Provider Trusted Root, click OK, specify an alias name, click
OK, then click Close.
This option imports the public key from the Embedded Service Provider into the trust store of
the Identity Servers in the selected Identity Server Configuration. This sets up a trusted SSL
relationship between the Identity Server and the Embedded Service Provider.
If you are using certificates signed by the Novell Access Manager CA, the public key is
automatically added to this trust store.
5 Configure the ports for SSL:
Non-Secure Port: Specifies the port on which to listen for HTTP requests. The default port for
HTTP is 80.
If you selected the Redirect Requests from Non-Secure Port to Secure Port option,
requests sent to this port are redirected to the secure port. If the browser can establish an
SSL connection, the session continues on the secure port. If the browser cannot establish
an SSL connection, the session is terminated.
If you do not select the Redirect Requests from Non-Secure Port to Secure Port option,
this port is not used when SSL is enabled.
IMPORTANT: If you select not to redirect HTTP requests (port 80) and your Access Gateway
has only one IP address, do not use port 80 to configure another reverse proxy. Although it is
not used, it is reserved for this reverse proxy.
Secure Port: Specifies the port on which to listen for HTTPS requests (usually 443). This port
needs to match the configuration for SSL. If SSL is enabled, this port is used for all
communication with the browsers. The listening address and port combination must not match
any combination you have configured for another reverse proxy or tunnel.
6 Click OK.
7 On the Configuration page, click Reverse Proxy / Authentication.
8 (Conditional) If you are using an externally signed certificate for the Identity Server cluster,
you need to import the public key of the CA:
8a In the Embedded Service Provider section, click Auto-Import Identity Server Trusted Root,
then click OK.
Step 3 that was created by an external CA, click
Configuring the Access Gateway for SSL and Other Security Features 113