Cannot accelerate internal Web Server with Access Gateway due to SSL handshake failures

  • 7014421
  • 16-Jan-2014
  • 16-Jan-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 SUpport Pack 2 applied
NetIQ Access Manager 3.2 Access Gateway Appliance

Situation

NAM 3.2.2 Access Gateway is accelerating a secure Web server. When users hit this web server, they get 504 gateway timeout errors instead of the actual back end application pages. Looking at traces, one can see that the Access Gateway attempts to do an SSL negotiate with an internal resource using SSL v2.  Since the internal resource will not allow negotiation for SSL v2, the SSL handshake aborts and the users receive the error. Is there a way to prevent AM from trying to use SSL v2.

Resolution

Add the following advanced options to the Access Gateway configuration to disable SSL v2

SSLProtocol All -SSLv2
SSLProxyProtocol All -SSLv2

Mod_ssl defines the SSL parameters (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol) that we need. Since we are talking to the back end Web server, we actually need to set sslproxyprotocol directive. The SSLProtocol directive defines the SSL parameters for communication between the browser and the Access Gateway.