Symantec Access Management

We have multiple IPs on Secure Proxy Server 12.52 and each IP is tied to a specific certificate in httpd-ssl.conf with the same port. So whenever a new cert needs to be added, an additional IP needs to be created and configured with new certificate in httpsd-ssl.conf, this IP will be resource pool of proxy servers load balancer.

Now, we are switching to ELB where there is only URL and no IP (technically). Is there a way to configure all the certificates on proxy server httpd-ssl.conf with only one IP? We don't have an option to change the port numbers.

Thank you.

If you are placing a load balancer in front of the SPS, are you terminating SSL at the load balancer?

If so, do you even need SSL again between the load balancer and the SPS.

Anyway, assuming that you do need SSL between the LB and the SPS (or if the LB is configured not to terminate SSL), then traditionally it was not possible to configure multiple SSL certificates when using name-based virtual hosts. However, this problem has been solved for a number of years now, using "Server Name Indication". There's a good article on this on the Apache httpd wiki.

According to the SPS documentation, it says that SSL for name based virtual hosts is not supported (scroll down to end of link). However, this appears now to be out of date, as it appears that the version of Apache that is shipped with the SPS does meet the pre-reqs for Server Name Indication SSL certs.

In the httpd-ssl.conf file, you probably have a default virtual host entry that begins with the following tag

<VirtualHost _default_:443>

You can add additional SSL vhost entries below that for name-based virtual hosts, as per the following example:

<VirtualHost *:443>

DocumentRoot "C:/Program Files (x86)/CA/secure-proxy/httpd/htdocs"
ServerName vhost1.demo.inc:443
ServerAdmin admin@demo.inc
ErrorLog logs/vhost1-ssl-error.log
TransferLog logs/vhost1-ssl-access.log

SSLEngine "on"

SSLProtocol All -SSLv3

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile "C:/Program Files (x86)/CA/secure-proxy/SSL/certs/vhost1.crt"

SSLCertificateKeyFile "C:/Program Files (x86)/CA/secure-proxy/SSL/keys/vhost1key.pem"

#   Certificate Authority (CA):
#   For client cert authentication
SSLCACertificatePath "C:/Program Files (x86)/CA/secure-proxy/SSL/certs"
SSLCACertificateFile "C:/Program Files (x86)/CA/secure-proxy/SSL/certs/ca-bundle.cert"
SSLVerifyClient "none"
SSLVerifyDepth "10"

SSLOptions +StdEnvVars +ExportCertData
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "C:/Program Files (x86)/CA/secure-proxy/httpd/cgi">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         ssl-unclean-shutdown

CustomLog logs/vhost1_ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

It's just a copy of the default virtual host with the private key and cert updated, and the log file names updated.

I tested this in r12.52 SPS, and it works for me.

Hope this helps

Pearse

Hi

Since SPS is fairly much vanilla apache, there are a few options that can help : 

Here is earlier post explaining the chicken and egg thing going on for SSL and verifying hostname: 

https://communities.ca.com/message/241707291?commentID=241707291#comment-241707291 

But apache also supports SNI (Server Name Indication) , which allows the apache server to match on the Host: header that is sent as part of the SSL "Client Hello" message.

Here are some good apache instructions: 

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

And some general information about SNI:

https://en.wikipedia.org/wiki/Server_Name_Indication

The other options wildcard certs, and altname certs, may apply but from what you have SNI seems the best solution.

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

Hello Mark,

I have tested one IP with two SNI's and it seems to be working fine but I have several URLs using very few wild card certificates like below:

app1.a.com, app2.a.com, app3.a.com......app55.a.com that uses *.a.com wild card certificate

app1.b.net, app2.b.net, app3.b.net....app66.b.net that uses *.b.net wild card certificate

Is there a way to achieve one IP to multiple wild card certificates? I have put *.a.com  as servername in virtual host but it gave me an error saying '*' is not recognized.

Thank you.

Hi Krshravan

You can't enter a single VirtualHost entry that covers all of the *.example.com.  

You have to add a VirtualHost entry for each site, you wish to host, for example:   

NameVirtualHost *:443

<VirtualHost *:443> 

ServerName www.example.com

DocumentRoot /var/www/site

SSLEngine on 

SSLCertificateFile /path/to/wildcard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key 

SSLCertificateChainFile /path/to/DigiCertCA.crt

</VirtualHost> 

<VirtualHost *:443> 

ServerName test1.example.com

DocumentRoot /var/www/site2

SSLEngine on 

SSLCertificateFile /path/to/wildard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key 

SSLCertificateChainFile /path/to/DigiCertCA.crt

</VirtualHost>

So for a wildcard certificate the answer is the same as with vanilla SNI, where you enter an VirtualHost for each host you will respond to, and you just use the same certificate 

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

And of course I was wrong.

A bit more searching and I find out about "ServerAlias" which can be used in addition to "ServerName' but it can take wildcard parameters:

https://httpd.apache.org/docs/2.4/mod/core.html#serveralias

<VirtualHost *:80>

ServerName server.example.com
ServerAlias server server2.example.com server2
ServerAlias *.example.com
UseCanonicalName Off

</VirtualHost>

Testing ServerAlias I find it can be used with SSL  <VirtualHost *:443>  as well : 

<VirtualHost _default_:443>

DocumentRoot "C:/Program Files (x86)/CA/secure-proxy/httpd/htdocs"
ServerName test1.example.com:443
ServerAlias *.example2.com:443

SSLCertificateFile /path/to/wildcard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key 

</VirtualHost>

And that allowed me to access various hostnames over SSL.  

https:/www.example.com/

https:/test1.example.com/

https:/www.example2.com/

https:/fred.example2.com/

And all of them were passed through httpd and were sent onto proxy-engine/tomcat.

So it sounds like that is the configuration you need for your wildcard cert setup. 

Cheers - Mark

---

Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

Hello Mark,

Thank you for the input, I have tested it as well and it worked fine but I have multiple wildcard certificates and its picking only one wildcard certificate.

When I access test2.example2.com, test3.example2.com it allowed me to access over SSL but when I tried accessing test2.example2.net, test3.example2.net its throwing certificate error and showing *.example2.com in the browser instead of showing *.example2.net in the browser.

Is there a way to make it work using the same default port 443 and same IP for multiple wildcard certificates? Reason being we need to use same port and AWS ELB can be configured with only primary IP on the server and we have multiple wildcard certificates.

<VirtualHost _default_:443>

DocumentRoot "C:/Program Files (x86)/CA/secure-proxy/httpd/htdocs"
ServerName test1.example.com:443
ServerAlias *.example2.com:443

SSLCertificateFile /path/to/wildcard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key 

</VirtualHost>

<VirtualHost _default_:443>

DocumentRoot "C:/Program Files (x86)/CA/secure-proxy/httpd/htdocs"
ServerName test1.example.net:443
ServerAlias *.example2.net:443

SSLCertificateFile /path/to/wildcard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key 

</VirtualHost>

Hi krshravan 

That would seem a bit weird.  With : 

      NameVirtualHost *:443

It should match on the ServerName sent as part of the SNI SSL ClientHello -  I dont see that test3.example2.net would match *.example2.com.  

After the match it then returns the certificate in the matching blocks. : 

SSLCertificateFile /path/to/wildcard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key

No chance you've done something odd, like have the Cert File in the : test1.example.net / *.example2.net:443 block point to the other certificate ? 

What happens if you do the following : 

a) If you have specific VirtualHost entry for : test3.example2.net does that work? 

b) If you drop the wildcards in ServerAlias and have specific ServerAlias test3.example2.net does that work?

I believe you've got an internal support case as well, if you want to have a webex to follow this up, add a note to the case (or ring in) and we can see if we can do a bit of testing with your setup.

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

Hello Mark,

Yay   it worked. My bad I was using incorrect ELB while testing. In order to do a end to end testing I was using two ELBs that hits the proxy server and then written proxy rules that forward to backend server.

One more thing, looks like we don't need ServerName parameter as well. I have removed it and its working perfectly fine with the two URLs with different domains.

I have accessed test2.example2.com and test2.example2.net and both of them displayed their corresponding certificates in the web browser.

Thanks a ton!

<VirtualHost server_primary_ip:443>

DocumentRoot "C:/Program Files (x86)/CA/secure-proxy/httpd/htdocs"
ServerAlias *.example2.com:443

SSLCertificateFile /path/to/wildcard_example_com.crt 

SSLCertificateKeyFile /path/to/wildcard_example_com.key 

</VirtualHost>

<VirtualHost server_primary_ip:443>

DocumentRoot "C:/Program Files (x86)/CA/secure-proxy/httpd/htdocs"
ServerAlias *.example2.net:443

SSLCertificateFile /path/to/wildcard_example_net.crt 

SSLCertificateKeyFile /path/to/wildcard_example_net.key 

</VirtualHost>

Thank you,

Raja Shravan