15.3.2.1. Procedure – Configuring communication between PNS and AS

  1. Configuring the bind parameters of AS

    Figure 15.15. Configuring the bind parameters of AS

    First, the connection settings of AS have to be configured in the Bind section on the Authentication server MC component. Specify the IP address/port pair on which AS should accept connections.

    Tip

    If AS and PNS are running on the same machine, use the local loopback interface (IP:127.0.0.1).

    Note

    The same bind settings will have to be used when the Authentication provider is configured in the Policies tab of the Application-level Gateway MC component.

  2. Configuring the SSL for AS

    Figure 15.16. Configuring the SSL for AS

    If PNS and AS are running on separate machines, enable and configure SSL encryption. Check the Require SSL for incoming connections checkbox and click on ... next to the Certificate textbox and select a certificate. This certificate has to be available on the AS host and will be presented to PNS to verify the identity of the AS server. For details about creating certificates, see Procedure 11.3.8.2, Creating certificates.

    To enable mutual authentication (that is, to verify the certificate of PNS), check the Verify peer certificate checkbox and select the CA group containing the trusted certificates. Also make sure to set the Verify depth high enough so that the root CA certificate in the CA chain can be verified. The default value (3) should be appropriate for internal CAs.

  3. Creating an Authentication provider

    Figure 15.17. Creating an Authentication provider

    The connection also has to be set up from the PNS side. This can be accomplished by creating an Authentication provider on the Policies tab of the Application-level Gateway MC component. Click on New, select Authentication provider from the Policy type combobox, and enter a name for the provider into the Policy textbox.

  4. Configuring an Authentication provider

    Figure 15.18. Configuring an Authentication provider

    Enter the IP address of the AS server into the Address field. This must be the same address as specified as Bind address for AS in Step 1.

  5. Configuring SSL for an Authentication provider

    Figure 15.19. Configuring SSL for an Authentication provider

    If SSL encryption was enabled in Step 2, select the Certificate PNS will show to AS. PNS can also verify the certificate shown by AS using the CAs specified in CA group.

    Note

    Obviously, the CAs issuing the certificates of PNS and AS must be members of the CA groups set to be used to perform the verification of the certificates, otherwise the verification will fail.