Configuring secure connections between HTTP access services and clients

You can use Transport Layer Security (TLS) to encrypt connections between remote HTTP clients and an HTTP access service. You can specify whether the service uses standard TLS ciphers to encrypt the connection or if it uses ciphers that are FIPS 140-2 approved. You can also configure the service to require client devices to present X.509 certificates when they connect to the server.

About this task

Configure TLS connections by creating and managing certificates using OpenSSL or another key management utility and then editing properties for the HTTP access service

To enable the server to prove its identity during TLS protocol negotiations, you store an X.509 certificate for the HTTP access service in a PKCS12 keystore file on the SafeLinx server. You can use the default PCKS12 file, sl-default.p12, or create your own file. The keystore file is secured with a password. The password for sl-default.p12 is trusted.

When you first test secure connections, you can generate and use a self-signed certificate. However, for greater security it is best to use third-party certificates to secure connections with remote clients.

Procedure

  1. Obtain a certificate for the HTTP access service and add it to the PKCS12 keystore file. For information, see Generating a server certificate from a certificate authority.
  2. From the SafeLinx Administrator, right-click the HTTP access service that you want to configure and then click Properties.
  3. Open the Service page and in the Service URL field, verify that the protocol identifier is set to https.
    For example, https://safelinx.renovations.com.
  4. Verify the information in the PKCS12 keystore file and Keystore password fields.

    If you didn't use the default keystore file name, sl-default.p12, replace the default entry with the correct file name. If you placed the file in a directory other than the default SafeLinx Server installation directory, type the full path to the file.

  5. To require clients to use secure protocols to connect to the HTTP access service, from the Service page of the HTTP Access service properties. select Use secure connection.
  6. Specify which parties must present certificates. Choose one of the following options:
    • Choose Server session if you want to require a certificate from the HTTP access service only. This is the default setting.
    • Choose Server session with client certificate validation to enforce two-way certificate validation. When this setting is in effect, an HTTP client must provide its certificate first during the TLS handshake. Only after the client certificate is accepted, does the HTTP access service present its certificate. Typically, this setting is combined with a further credential checking to permit access to HTTP clients that have valid certificates only.
    For more information about using two-way certificate validation, see Client certificate authentication for HTTP access services.
  7. Specify the ciphers that the SafeLinx Server uses to negotiate TLS connections with HTTP clients. From the TLS Ciphers page of the HTTP access service properties, choose one of the following options and then select the individual ciphers that can be used to encrypt connections.
    • Click Use only FIPS 140-2 approved ciphers to require the use of cryptographic modules that are certified by the U.S. government in Federal Information Processing Standards (FIPS) publication 140-2, Security requirements for cryptographic modules.
    • Click Use standard ciphers to use the default TLS cryptographic standards to secure connections.
  8. From the SafeLinx Administrator, restart the SafeLinx Server.
  9. If you have configured HTTP application servers, log in from an HTTP client application to verify that the certificate is working.
    If the HTTP Service does not secure incoming connections, view the wg.log file for help in understanding whether the issue is certificate-related. On Linux, the wg.log file is in /var/adm. On Windows, you can find the file in \Program Files\HCL\SafeLinx Server\logs.