Configuring secure connections between HTTP access services and internal application servers

You can use transport layer security (TLS 1.2 & TLS 1.3) to secure connections between the HTTP access service and HTTP proxy servers or application servers on the internal network. To make it easier to configure secure connections to internal application servers, you can enable an HTTP access service to accept untrusted certificates from those servers automatically.

Application servers on the internal network that require secure connections must have X.509 certificates in their PKCS12 keystore files so that they can negotiate the TLS (TLS 1.2 & TLS 1.3) handshake. Because the risk of identity-spoofing among internal servers is low, it's typical to install self-signed certificates, rather than purchase signed third-party certificates. However, self-signed certificates can result in connection failures, because the HTTP access server does not have a signer certificate to verify that it can trust the self-signed certificate. To ensure that an HTTP access service does not encounter certificate errors when it tries to connect to internal application servers that use untrusted certificates, enable automatic trust. When you enable automatic trust, there is no need to obtain a trusted root signer certificate and add it to the PKCS12 keystore file on the SafeLinx Server.
Note: The setting to accept untrusted certificates from internal servers applies to application servers only. To enable secure connections to other types of internal servers, such as an LDAP or database server, you must obtain a copy of the server's certificate and store it in a local PKCS12 keystore file.

To configure automatic trust of internal application servers, complete the following procedure.

  1. From the Resources pane of the SafeLinx Administrator, right-click the HTTP access service that you want to configure, and then click Properties.
  2. From the Server page of the HTTP Access service properties, select Accept untrusted certificates from internal servers, and then click OK.

Specify the ciphers that the SafeLinx Server uses to negotiate TLS connections with backend/internal HTTP server. From the Security page of the HTTP access service properties, choose which TLS version used to connect to backend server.

  • Click Use only FIPS 140-2 approved ciphers to require the use of cryptographic modules that are certified by the U.S. government in Federal Information Processing Standards (FIPS) publication 140-2, Security requirements for cryptographic modules.