Configuring secure connections between HTTP access services and internal application servers
You can use transport layer security (TLS) to secure connections between the HTTP access service and HTTP proxy servers or application servers on the internal network. To make it easier to configure secure connections to internal application servers, you can enable an HTTP access service to accept untrusted certificates from those servers automatically.
About this task
Application servers on the internal network that require secure connections must have X.509
certificates in their PKCS12 keystore files so that they can negotiate the TLS
handshake. Because the risk of identity-spoofing among internal servers is low, it's
typical to install self-signed certificates, rather than purchase signed third-party
certificates. However, self-signed certificates can result in connection failures,
because the HTTP access server does not have a signer certificate to verify that it
can trust the self-signed certificate. To ensure that an HTTP access service does
not encounter certificate errors when it tries to connect to internal application
servers that use untrusted certificates, enable automatic trust. When you enable
automatic trust, there is no need to obtain a trusted root signer certificate and
add it to the PKCS12 keystore file on the SafeLinx Server.
Note: The setting to
accept untrusted certificates from internal servers applies to application
servers only. To enable secure connections to other types of internal servers,
such as an LDAP or database server, you must obtain a copy of the server's
certificate and store it in a local PKCS12 keystore file.
To configure automatic trust of internal application servers, complete the following procedure.
Procedure
- From the Resources pane of the SafeLinx Administrator, right-click the HTTP access service that you want to configure, and then click Properties.
- From the Server page of the HTTP Access service properties, select Accept untrusted certificates from internal servers, and then click OK.