Cannot restrict ciphers with TLS 1.2 changes when using Domain Based Multihoned Child (DBMH) child proxy

  • 7016283
  • 10-Mar-2015
  • 31-Mar-2015


NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 HF1 applied with TLS 1.2 support (


NAM 4.0 environment setup and working well - users were able to access protected SSL enabled Web servers after successfully authenticating to the Identity server. For security purposes, the admin for the setup wanted to enabled TLS 1.2 between the AG and secure Web server as per the above document. As soon as we did this, users started getting 502 status responses when accessing two of the back end secure web servers.

We worked around the issue by tweaking the SSLProxyCipher Advanced Option to include specific ciphers supported by the back end (which we obtained using the openssl client). Rather than setting it globally, we wanted to minimise the impact of this change by adding it to the local Advanced Options for that proxy service. When we did this, we found that access to only one of the secure web servers worked, but the other still returned a 502.

It turns out that when adding the SSLProxyCIpherSuite list to the domain based MH child, the ciphers are NEVER written to the Apache vhost.d CONF file for that proxy. If we have a regular or path based MH child, everything works fine ie. the Advanced Options are written correctly to the config files.


Fixed in NAM 4.1.

Can workaround this issue in NAM 4.0 by going to the Proxy configuration -> "TCP Listen Options" -> "Enforce 128-Bit Encryption between Access Gateway and Web Server" and making sure it is enabled.