Configuring secure connections between HTTP access services and internal application servers
You can use transport layer security (TLS) to secure connections between the HTTP access service and HTTP proxy servers or application servers on the internal network. To make it easier to configure secure connections to internal application servers, you can enable an HTTP access service to accept untrusted certificates from those servers automatically.
About this task
Application servers on the internal network that require secure connections must have X.509
certificates in their key databases so that they can negotiate the TLS handshake. Because the risk
of identity-spoofing among internal servers is low, it's typical to install self-signed
certificates, rather than purchase signed third-party certificates. However, self-signed
certificates can result in connection failures, because the HTTP access server does not have a
signer certificate to verify that it can trust the self-signed certificate. To ensure that an HTTP
access service does not encounter certificate errors when it tries to connect to internal
application servers that use untrusted certificates, enable automatic trust. When you enable
automatic trust, there is no need to obtain a trusted root signer certificate and add it to the key
database on the SafeLinx Server.
Note: The setting to accept untrusted certificates from internal
servers applies to application servers only. To enable secure connections to other types of internal
servers, such as an LDAP or database server, you must obtain a copy of the server's certificate and
store it in a local key database file.
To configure automatic trust of internal application servers, complete the following procedure.
Procedure
- From the Resources pane of the SafeLinx Administrator, right-click the HTTP access service that you want to configure, and then click Properties.
- From the Server page of the HTTP Access service properties, select Accept untrusted certificates from internal servers, and then click OK.