Managing Access Gateway Certificates; Managing Embedded Service Provider Certificates; Managing Reverse Proxy And Web Server Certificates; Section 2.6, "Managing Access Gateway Certificates - Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE Manual

2.6 Managing Access Gateway Certificates

Section 2.6.1, "Managing Embedded Service Provider Certificates," on page 73
Section 2.6.2, "Managing Reverse Proxy and Web Server Certificates," on page 73

2.6.1 Managing Embedded Service Provider Certificates

The Access Gateway uses an Embedded Service Provider to communicate with the Identity Server.
The Service Provider Certificates page allows you to view the private keys, certificate authority
(CA) certificates, and certificate containers associated with this module. These keystores do not
contain the certificates that the Access Gateway uses for SSL connections to browsers or to back-
end Web servers.
To view or modify these certificates:
1 In the Administration Console, click Devices > Access Gateways > Edit > Service Provider
Certificates.
2 Configure the following:
Signing: The signing certificate keystore. Click this link to access the keystore and replace the
signing certificate as necessary. The signing certificate is used to sign the assertion or specific
parts of the assertion.
Trusted Roots: The trusted root certificate container for the CA certificates associated with the
Access Gateway. Click this link to access the trust store, where you can change the password or
add trusted roots to the container.
The Embedded Service Provider must trust the certificate of the Identity Server that the Access
Gateway has been configured to trust. The public certificate of the CA that generated the
Identity Server certificate must be in this trust store. If you configured the Identity Server to use
a certificate generated by a CA other than the Access Manager CA, you must add the public
certificate of this CA to the Trusted Roots store. To import this certificate, click Trusted Roots,
then in the Trusted Roots section, click Auto-Import From Server. Fill in the IP address or DNS
name of your Identity Server and its port, then click OK.
You can also auto import the Identity Server certificate by select the Auto-Import Identity
Server Configuration Trusted Root option on the Reverse Proxies / Authentication page (click
Devices > Access Gateways > Edit > Reverse Proxies / Authentication). With this option, you
do not need to specify the IP address and port of the Identity Server.
3 To save your changes to browser cache, click OK.
4 To apply your changes, click the Access Gateways link, then click Update > OK.

2.6.2 Managing Reverse Proxy and Web Server Certificates

You select Access Gateway certificates on two pages in the Administration Console:
Devices > Access Gateways > Edit > [Name of Reverse Proxy]
Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] >
Web Servers
When configuring certificates on these pages, you need to be aware that two phases are used to push
the certificates into active use.
Configuring the Access Gateway for SSL 73