Configuring ProxySG communication over SSL with the BCAAA server self-signed certificate.
search cancel

Configuring ProxySG communication over SSL with the BCAAA server self-signed certificate.

book

Article ID: 166032

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 

Assumption: SSL Certificate is self-signed

Section A: ProxySG Installation

1) Management Console -> Authentication -> IWA, click New, create a REALM Name and BCAAA hostname (for example ford.kllab.bluecoat.com; do not use IP). On the IWA Servers tab, select the REALM name, under SSL Options select Enable SSL and Verify Server Certificate. Click APPLY.

Note: Please make sure the DNS server configured in ProxySG can resolve the above hostname.

2) Management Console -> SSL -> Keyrings -> SSL Certificates, copy the default certificate from “-----BEGIN CERTIFICATE-----“ until “-----END CERTIFICATE-----“. Paste the certificate to your notepad and rename that file to cer (for example: proxysg.cer).

3) Management Console -> SSL -> SSL Client, on Keyring, change from <NONE> to DEFAULT. Click APPLY.

 
Section B: BCAAA Installation

1) Install BCAAA and set the parameter as 'Allow only SSL connections.'

2) Configure CN as hostname (for example ford.kllab.bluecoat.com; do not use IP and make sure the DNS is able to resolve the above hostname).

3) Select “Save the automatically generated certificate in the certificate store” as YES.

4) Select “Require the ProxySG to provide a valid certificate in order to connect” as NO.

5) Click 'Install' to run the installation process.

6) Once the BCAAA installation is complete, please verify the bcaaa.ini and make sure the configuration is as below. If it is different, please modify the bcaaa.ini and restart the BCAAA service.

    UseSSL=1
    CertificateSubject=ford.testlab.bluecoat.com
    SaveGeneratedCertificate=1
    VerifySG=0

7)  From the BCAAA console, click START, RUN, type in MMC and click OK. When the Console comes up, click File, ADD/Remove Snap-in or press CTRL + M, click ADD, select CERTIFICATES, click ADD, select SERVICE ACCOUNT, click NEXT twice, select BCAAA, click FINISH, and click CLOSE and click OK.

8)  Make sure the certificate appears under BCAAA\Personal, Certificates. If there’s no certificate as per the hostname suggested in step 2, you may need to perform some additional steps as documented in Appendix A.

9)  Double click the above certificate; you should see that the certificate is currently not trusted.

10) To make the certificate trusted, press CTRL + M (or click File, ADD/Remove Snap-in), click ADD, select CERTIFICATES, click ADD, select Computer Account, click NEXT and click FINISH. Click CLOSE and OK.

11) Then under Certificate – Service (BCAAA) on Local Computer, BCAAA\Personal, Certificates, select the ford.testlab.bluecoat.com certificate, right click and COPY. Then go to Certificate (LOCAL COMPUTER), Trusted Root Certification Authorities, Certificates, right click and PASTE it. The certificate will place at the bottom of the lists. Then double click the certificate (ford.testlab.bluecoat.com) and you will find that the certificate is not currently trusted.

12) On the same certificate screen as above, click DETAILS, select COPY TO FILE, the WIZARD pop up and click NEXT, click NEXT (bypass No, do not export the private key), select Base-64 encoded X.509 (.CER), click NEXT, save the file to a path (for example: c:\bcaaa), click FINISH.

13) Close the MMC console and open the bcaaa.cer which you’d created with notepad, then copy the entire string from BEGIN CERTIFICATE to END CERTIFICATE. Then connect to ProxySG Management Console via https.

14) Restart the BCAAA services.


Section C: ProxySG Configuration and Settings

1)  In Management Console -> SSL -> CA Certificates, click IMPORT, type in the CA Cert name as the hostname (eg: ford.testlab.bluecoat.com), and paste the string copied from bcaaa.cer to CA Cert section.

2)  Click OK and the certificate will be placed on the bottom of CA certificates list. Click APPLY. Then proceed to Management Console -> Policy -> Visual Policy Manager, and click LAUNCH.

3)  Ensure the device profile includes your BCAAA server’s certificate by navigating to Configuration -> SSL -> Device Profiles, highlight the profile name above, and click ‘Edit’. Change ‘CCL’ (CA Certificate List) to ‘<All CA Certificates>’. Click ‘Apply’. This should then get BCAAA over SSL working OK. Note that this will allow all CA certificates to be trusted by the above profile. If you do not want this, simply create a new profile along with a new CA Certificate list.
Alternatively you can add this certificate to the CCL which is specified in the selected device profile (under Configuration > Authentication > IWA > IWA Servers) - by default this is the 'default' device profile, which means you add it to the browser-trusted CCL.

4)  At Visual Policy Manager, click Policy, select Add Web Authentication Layer, provide a name and click OK. At the Action, right click and select SET, click NEW, select Authenticate, then choose the REALM you’d created and click OK twice. Click Install Policy and close the Visual Policy Manager.

5)  Please go back to BCAAA console and open Event Viewer and observe if there’s any error during your testing. Select Application at Event Viewer. Then test the authentication with your PC, explicitly point to ProxySG and connect to a website.


Appendix A
============


To generate the certificate for BCAAA server (where the certification doesn’t show after installation), you must configure the ProxySG to send a NTLM request to BCAAA. After the request is sent to BCAAA, the certificate will be generated automatically.

To initiate a NTLM request from ProxySG to BCAAA, the simplest method is configuring a client browser and point to ProxySG explicitly. The ProxySG should then forward the authentication request to BCAAA.

 

Resolution