Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].
Configure the reverse proxy for SSL by filling in the following fields:
Enable SSL with Embedded Service Provider: Select this option to encrypt the data exchanged for authentication (the communication channel between Identity Server and Access Gateway). This option is available only for the reverse proxy that has been assigned to perform authentication.
If you enable SSL between the browsers and Access Gateway, this option is automatically selected for you. You can enable SSL with the Embedded Service Provider without enabling SSL between Access Gateway and the browsers. This allows the authentication and identity information that Access Gateway and Identity Server exchange to use a secure channel, but allows the data that Access Gateways retrieves from the back-end web servers and sends to users to use a non-secure channel. This saves processing overhead if the data on the web servers is not sensitive.
Enable SSL between Browser and Access Gateway: Select this option to require SSL connections between your clients and Access Gateway. SSL must be configured between the browsers and Access Gateway before you can configure SSL between Access Gateway and the web servers.
Redirect Requests from Non-Secure Port to Secure Port: Determines whether browsers are redirected to the secure port and allowed to establish an SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service.
This option is only available if you have selected Enable SSL with Embedded Service Provider.
Select the certificate to use for SSL between Access Gateway and browsers. Select one of the following methods:
To auto-generate a certificate key by using the Access Manager CA, click Auto-generate Key, then click OK twice. The generated certificate appears in the Server Certificate text box.
The generated certificate uses the published DNS name of the first proxy service for the Subject name of the certificate. If there is more than one proxy service, the CA generates a wildcard certificate (*.Cookie Domain).
If you have not created a proxy service for this reverse proxy, wait until you have created a proxy service before generating the key. This allows the CN in the Subject field of the certificate to match the published DNS name of the proxy service.
To select a certificate, click the Select Certificate icon, select the certificate you have created for the DNS name of your proxy service, then click OK. The certificate appears in the Server Certificate text box. For SSL to work, the CN in the Subject field of the certificate must match the published DNS name of the proxy service.
Configure the ports for SSL:
Non-Secure Port: Specifies the port on which to listen for HTTP requests. The default port for HTTP is 80.
If you selected the Redirect Requests from Non-Secure Port to Secure Port option, requests sent to this port are redirected to the secure port. If the browser can establish an SSL connection, the session continues on the secure port. If the browser cannot establish an SSL connection, the session is terminated.
If you do not select the Redirect Requests from Non-Secure Port to Secure Port option, this port is not used when SSL is enabled.
IMPORTANT:If you select not to redirect HTTP requests (port 80) and your Access Gateway has only one IP address, do not use port 80 to configure another reverse proxy. Although it is not used, it is reserved for this reverse proxy.
Secure Port: Specifies the port on which to listen for HTTPS requests (usually 443). This port needs to match the configuration for SSL. If SSL is enabled, this port is used for all communication with the browsers. The listening address and port combination must not match any combination you have configured for another reverse proxy or tunnel.
Click OK.
On the Server Configuration page, click OK.
On Access Gateways page, click Update > OK.
ESP is restarted during the update.
(Conditional) Identity Server is automatically updated to use the new SSL configuration. If the update is not started and an update is flagged, click Identity Servers > Update.
Verify that the trusted relationship between Identity Server and Access Gateway has been reestablished.
Enter the URL to a protected resource on Access Gateway.
Complete one of the following:
If you are prompted for login credentials, enter them. The trusted relationship has been reestablished.
If you receive a 100101043 or 100101044 error, the trusted relationship has not been established. For information about how to solve this problem, see Troubleshooting 100101043 and 100101044 Liberty Metadata Load Errors.