Managing SSL/TLS termination

Secure Sockets Layer (SSL), or its successor Transport Level Security (TLS), is a protocol for securing, encrypting, and decrypting network traffic.

SSL termination is the process of decrypting traffic before its passed on another server such as Access Gateway. When used with a load balancer, SSL can be terminated at the load balancer or encrypted traffic can be passed directly to Access Gateway and SSL terminated there.

 

Which method is selected is largely a matter of preference. When SSL is terminated at the load balancer then decisions can be made about the traffic based on the information itself. Sophisticated load balancers provide such functionality. Often its a benefit to the back end server to terminate SSL at the load balancer. For example to conserve CPU performance and then not requiring decryption by the back end. However with Access Gateway all traffic between Access Gatewayand the load balancer uses HTTPS and is encrypted for security purposes negating this benefit.

By default, SSL Termination is performed by Access Gateway, however SSL termination can be performed by a load balancer.
The process for configuring SSL termination is similar in both situations. The following task list describes the process.

Task Description

Integrate applications

Integrate one or more protected back end applications with Access Gateway. Note that by default,Access Gateway applications include a self signed, wildcard certificate which is generated when the application is added. Subsequent applications with the same domain can reuse the generated select signed certificate. For more information see About Access Gateway Certificates.

Obtain certificate(s)
  • When not using self signed certificates, certificates must obtained from a certificate authority, such as digicert or generated using tools such as openssl.  
    Okta does not endorse any specific certificate provider.
  • Upload certificates (Access Gateway)

    After obtaining a certificate it must be uploaded to Access Gateway or the load balancer for use with applications.
    Certificates are uploaded to Access Gateway using the Access Gateway Management console.

    To upload certificates into a load balancer see the appropriate platform documentation:

    Associate
    Certificates

    (Access Gateway only)
    After uploading a certificate using the Access Gateway Management console. The certificate must be associated with an application.


    See Certificate management tasks for details of obtaining, uploading and associating certificates with back end protected web resources in an Access Gateway environment.