Configuring secure connections between HTTP access services and internal application servers

You can use transport layer security (TLS) to secure connections between the HTTP access service and HTTP proxy servers or application servers on the internal network. To make it easier to configure secure connections to internal application servers, you can enable an HTTP access service to accept untrusted certificates from those servers automatically.

Application servers on the internal network that require secure connections must have X.509 certificates in their key databases so that they can negotiate the TLS handshake. Because the risk of identity-spoofing among internal servers is low, it's typical to install self-signed certificates, rather than purchase signed third-party certificates. However, self-signed certificates can result in connection failures, because the HTTP access server does not have a signer certificate to verify that it can trust the self-signed certificate. To ensure that an HTTP access service does not encounter certificate errors when it tries to connect to internal application servers that use untrusted certificates, enable automatic trust. When you enable automatic trust, there is no need to obtain a trusted root signer certificate and add it to the key database on the SafeLinx Server.
Note: The setting to accept untrusted certificates from internal servers applies to application servers only. To enable secure connections to other types of internal servers, such as an LDAP or database server, you must obtain a copy of the server's certificate and store it in a local key database file.

To configure automatic trust of internal application servers, complete the following procedure.

  1. From the Resources pane of the SafeLinx Administrator, right-click the HTTP access service that you want to configure, and then click Properties.
  2. From the Server page of the HTTP Access service properties, select Accept untrusted certificates from internal servers, and then click OK.