Access Gateway and SNI support
Introduction
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client can mention which hostname it is attempting to connect to at the start of the TLS handshaking process. This enables the server to select the correct virtual domain and corresponding TLS certificate at the very beginning of the process of establishing secure communication with the client.
The purpose of this document is to help users enabling SNI and getting benefits of it in secure TLS communication of Access Gateway (AG) (pre NAM 5.0). There are two such channels available at AG.
- Between browser and AG.
- Between AG and backend webserver.
SCENARIO 1: SNI between Browser and AG
The scenario comes under this is where multiple domain-based proxy services are configured and SSL is enabled on corresponding Reverse proxy. Current out-of-box support is to use a single TLS certificate having CN with suitable wildcards. With single certificated, there is no scope for SNI. Also, no UI to add a separate certificate for each proxy service even though under the hood Apache 2.4 supports SNI.
- Go to Advanced Options for a Domain-Based proxy service
- Add the following two options –
- SSLCertificateFile <PEM-encoded X.509 certificate full file-path>
- SSLCertificateChainFile <PEM-encoded Server CA Certificates full file-path>
- Update AG server
At a minimum, the file must include an end-entity certificate of proxy service and may contain complete chain of certificates up to root issuer certificate.
This is optional. The file concatenate the certificates of Certification Authorities (CA), which form the certificate chain of the proxy service’s certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.(More details available at https://httpd.apache.org/docs/current/mod/mod_ssl.html)
NOTE: In case, NAM’s certificate management is used to create a certificate for proxy service, make sure to add the same certificate to "Proxy key store". The default location of AG key store is /opt/novell/apache2/certs/. E.g. if certificate name is “proxy_cert”, then corresponding entries in advance options are –
SSLCertificateFile /opt/novell/apache2/certs/proxy_cert.pem
SSLCertificateChainFile /opt/novell/apache2/certs/proxy_cert.pem
SCENARIO 2: SNI between AG and backend webserver
Considering SSL is on between proxy service and backend server, for SNI to work, the following configurations are required -
- Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.
- Set Web Server Host Name to DNS name of the backend web server. This should match the server name of the backend name virtual host whose TLS certificate is used for secure communication.
- Set Web Server Trusted Root to Any in Reverse Proxy Trust Store. User must add the public certificate of the certificate authority backend webserver’s TLS certificate to the proxy trust store.
- Optionally, Set Web Server List to DNS name of the backend web server.
- Optionally, Advanced Option SSLProxyVerifyDepth may need to set if the default value is not good enough. Check user doc Configuring Global Advanced Options for more info
- Update AG server