Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 HF1 applied with TLS 1.2 support (https://www.netiq.com/documentation/netiqaccessmanager4/enable_tls_nam40/data/enable_tls_nam40.html)
NetIQ Access Manager 4.0 HF1 applied with TLS 1.2 support (https://www.netiq.com/documentation/netiqaccessmanager4/enable_tls_nam40/data/enable_tls_nam40.html)
Situation
NAM 4.0 environment setup and working well - users were able to access protected SSL enabled Web servers after successfully authenticating to the Identity server. For security purposes, the admin for the setup wanted to enabled TLS 1.2 between the AG and secure Web server as per the above document. As soon as we did this, users started getting 502 status responses when accessing two of the back end secure web servers.
We worked around the issue by tweaking the SSLProxyCipher Advanced Option to include specific ciphers supported by the back end (which we obtained using the openssl client). Rather than setting it globally, we wanted to minimise the impact of this change by adding it to the local Advanced Options for that proxy service. When we did this, we found that access to only one of the secure web servers worked, but the other still returned a 502.
It turns out that when adding the SSLProxyCIpherSuite list to the domain based MH child, the ciphers are NEVER written to the Apache vhost.d CONF file for that proxy. If we have a regular or path based MH child, everything works fine ie. the Advanced Options are written correctly to the config files.
We worked around the issue by tweaking the SSLProxyCipher Advanced Option to include specific ciphers supported by the back end (which we obtained using the openssl client). Rather than setting it globally, we wanted to minimise the impact of this change by adding it to the local Advanced Options for that proxy service. When we did this, we found that access to only one of the secure web servers worked, but the other still returned a 502.
It turns out that when adding the SSLProxyCIpherSuite list to the domain based MH child, the ciphers are NEVER written to the Apache vhost.d CONF file for that proxy. If we have a regular or path based MH child, everything works fine ie. the Advanced Options are written correctly to the config files.
Resolution
Fixed in NAM 4.1.
Can workaround this issue in NAM 4.0 by going to the Proxy configuration -> "TCP Listen Options" -> "Enforce 128-Bit Encryption between Access Gateway and Web Server" and making sure it is enabled.
Can workaround this issue in NAM 4.0 by going to the Proxy configuration -> "TCP Listen Options" -> "Enforce 128-Bit Encryption between Access Gateway and Web Server" and making sure it is enabled.