Manage SSL/TLS termination

Secure Sockets Layer (SSL), or its successor Transport Level Security (TLS), is a protocol for securing, encrypting, and decrypting network traffic.

SSL termination is the process of decrypting traffic before it's passed on another server such as Access Gateway. When used with a load balancer, SSL can be terminated at the load balancer or encrypted traffic can be passed directly to Access Gateway and SSL terminated there. See Load balancers.

Which method is selected is largely a matter of preference. When SSL is terminated at the load balancer then decisions can be made about the traffic based on the information itself. Sophisticated load balancers provide such functionality. Often its a benefit to the back end server to terminate SSL at the load balancer. For example to conserve CPU performance and then not requiring decryption by the back end. However with Access Gateway all traffic between Access Gatewayand the load balancer uses HTTPS and is encrypted for security purposes negating this benefit.

Access Gateway performs SSL termination by default. Alternatively, a load balancer can perform SSL termination.

The process for configuring SSL termination is similar in both situations. The following table lists the tasks needed to configure SSL termination:

Task Description
Integrate applications Integrate one or more protected back-end applications with Access Gateway. By default, Access Gateway applications include a self-signed, wildcard certificate that's generated when the application is added. Subsequent applications with the same domain can reuse the generated certificate. See Certificate use.
Obtain certificates When not using self-signed certificates, certificates must be obtained from a certificate authority (for example, digicert) or generated using tools such as openssl.

Okta doesn't endorse any specific certificate provider.

Upload certificates (Access Gateway) After obtaining a certificate it must be uploaded to Access Gateway or the load balancer for use with applications.

Certificates are uploaded to Access Gateway using the Access Gateway Management console.

To upload certificates to a load balancer, see the appropriate platform documentation:

Associate Certificates (Access Gateway only) After uploading a certificate using the Access Gateway Management console. The certificate must be associated with an application.

See Certificate management for details of obtaining, uploading, and associating certificates with back-end protected web resources in an Access Gateway environment.