Skip to main content

Configure SSL Termination Point Functionality

Introduction

This document explains how to configure the secure socket layer (SSL) termination functionality in SecureAuth IdP to help prevent a man-in-the-middle attack (a.k.a. MitM, MiM attack, or MitMA) against the SecureAuth IdP infrastructure. A MitM attack on SSL can occur when an attacker impersonates a client and / or server and either eavesdrops or alters communications between them.

To safeguard against a MitM attack, an SSL termination point can be configured on the Web Admin, and a certificate used for authentication before encrypted data is sent from a client computer to the web server via an SSL connection. The SSL termination acts as the endpoint for the SSL connection, intercepting encrypted traffic received by the web server and freeing the web server to perform other tasks such as loading web pages.

Applies to

SecureAuth IdP Version

OS Version

7.x+

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

SecureAuth IdP Configuration Steps

Based on the environment setup, the SSL termination point functionality can be configured in one of two ways in the Workflow section on the Workflow tab

  • Method 1 requires an entry in the (or) SSL Cert Address field to identify the server on which the SSL certificate resides and an entry in the SSL Termination Point field to specify where SSL (TCP / 443) traffic will terminate

  • Method 2 requires inserting the SecureAuth IdP SSL / TLS certificate BLOB – in Base64 format – into the SSL Termination Cert field and an entry in the SSL Termination Point field to specify where SSL (TCP / 443) traffic will terminate

Note

In most environments, Method 1 would be used since the least amount of maintenance is involved

Method 2 is usually used when there are restrictions in the production environment that interfere with certificate usage

Version 9.0.1+

Method 1

1. In the Workflow section, under Termination Points, enter the IPv4 address of the server with the SSL certificate to be used for authentication in the (or) SSL Cert Address field

  • If communicating directly with a SecureAuth IdP server, enter 127.0.0.1

  • If using a load balancer with SSL traffic terminating to it, enter the IPv4 address of the load balancer

  • If using a load balancer which only passes traffic, enter 127.0.0.1

2. Enter the Fully Qualified Domain Name (FQDN) of the SSL Termination Point – e.g. secureauth.company.com

43979031.png

Method 2

1. Export the SSL certificate from the SSL server in the Base64 format

2. Open the certificate in a text editor (e.g. Windows Notepad) and copy the contents to the clipboard

3. In the Workflow section, under Termination Points, paste the certificate BLOB into the SSL Termination Cert field

4. Enter either the Fully Qualified Domain Name (FQDN) or the IPv4 address of the SecureAuth IdP server in the SSL Termination Point field

If the SecureAuth IdP server is located behind a load balancer such as a F5 or Microsoft Network Load Balancer, then instead enter the FQDN or IPv4 address of the load balancer

43979032.png

Warning

Click Save once the configuration has been completed and before leaving the Workflow page to avoid losing changes

Notice

If SecureAuth generates a "404-SecureAuth was unable to find a matching SSL certificate. Please contact helpdesk to check server settings." message, then the SSL termination configuration may need to be re-configured.

Review all settings and then make another attempt to use the SSL termination point. In some rare cases, this error could be caused by an incorrectly configured license certificate (System Info → License Info → Cert Serial Nbr → Select Certificate).

Reference

Refer to Use X-Forwarded-For (XFF) with URL Rewrite Module for information on configuring SecureAuth IdP in load balanced environments