6.5 Securing Communication Channels

SecureLogin provides the following six communication channels:

  1. Web Console to Advanced Edition

  2. SecureLogin Client to Advanced Edition

  3. Advanced Edition to Data Store

  4. SecureLogin Client to Azure AD

  5. Advanced Edition to Azure Active Directory (AD)

  6. Advanced Edition to Audit Server

Figure 6-1 SSL Communication Channels

6.5.1 Protecting the Channel between Advanced Edition and the Web Console with SSL

Channel 1 in Figure 6-1, SSL Communication Channels.

While installing Advanced Edition, SecureLogin uses Let's Encrypt to generate the certificate. You can replace the default certificate with a third-party certificate authority (CA) issued certificate, such as Verisign.

For more information about how to replace the default certificate, see Using Your CA Signed Certificate in the NetIQ SecureLogin 9.1 Administration Guide.

6.5.2 Protecting the Channel between Advanced Edition and the SecureLogin Client with SSL

Channel 2 in Figure 6-1, SSL Communication Channels.

The SecureLogin client communicates with Advanced Edition over a secure SSL port. This port is con-figured while installing the client in the Advanced Edition mode.For higher security, it is recommended to install the root CA certificate on the SecureLogin client ma-chines.

6.5.3 Protecting the Channel between Advanced Edition and Data Store with SSL

Channel 3 in Figure 6-1, SSL Communication Channels.

For higher security, configure the data store root certificate in SecureLogin-Server-x.x.x.x\values.yaml.

Configuring the Datastore Root Certificate

  1. Create a folder named certs inside the SecureLogin-Server-x.x.x.x folder of the helm charts.

  2. Copy the datastore root certificate to the certs folder.

  3. Open SecureLogin-Server-x.x.x.x\values.yaml and specify the following details in the SSL section:

    • verifyDBCert: Specify true. The server host name in the certificate is verified to ensure that it matches the host name specified in values.yaml.

    • DBCert: Specify the name of the data store root certificate that you copied to the certs folder.

    • DBCertSecret: To change the certificate for the first time, no need to change this value. However, the next time onward, you must change both DBCert and DBCertSecret.

  4. Save the file.

  5. Perform a helm install or upgrade using the following command:

    • To install:

      helm install <name-of-the-release> <name-of-the-helm-chart> -n <name-of-the-namespace>

      For example, helm install slserver001 server -n nsl-namespace

    • To upgrade:

      helm upgrade <release-name> <name-of-the-helm-chart> -n <name-of-the-namespace>

      For example, helm upgrade slserver server -n my-ingress

6.5.4 Protecting the Channel between SecureLogin Client and Azure AD with SSL

Channel 4 in Figure 6-1, SSL Communication Channels.

The SecureLogin client communicates to the identity provider over the TLS 1.2 protocol with the verified server certificate.

This channel is used for obtaining OAuth 2.0 tokens from the identity provider. The SecureLogin client uses the following methods:

6.5.5 Protecting the Channel between Advanced Edition and Azure AD with SSL

Channel 5 in Figure 6-1, SSL Communication Channels.

Advanced Edition communicates to the user and groups directory and identity provider over the TLS 1.2 protocol with the verified server certificate.

Advanced Edition uses the bearer access token to verify the authorization with the identity provider. It requests for an On Behalf Of (OBO) token using the MSAL library or using Graph REST API.

  • Using MSAL library: With the OBO token, Advanced Edition requests the information about users and groups for collecting inherited settings or performing management tasks.

  • Using Graph REST API: Graph API ensures the secure delivery of the data to Azure AD. For more information, see Microsoft Graph Documentation.

6.5.6 Protecting the Channel between Advanced Edition and Audit Server with SSL

Channel 6 in Figure 6-1, SSL Communication Channels.

For enhanced security, configure the audit server root certificate in SecureLogin-Server-x.x.x.x\values.yaml.

For information about how to configure the audit server root certificate in values.yaml, see Configuring the Root Certificate in values.yaml in the SecureLogin 9 Advanced Edition Installation and Configuration Guide.

Ensure that the audit server is configured to listen on a TLS port. For information about how to configure the port for the audit server, see Configuring the Audit Server on the Web Console in the SecureLogin 9 Advanced Edition Installation and Configuration Guide.