Specifications
Appendix D: HTTPS Cluster Certificates
174 Equalizer Installation and Administration Guide
1. Perform the procedure in the previous section (“Enabling HTTPS with a Server Certificate”
on page 173) to enable HTTPS with a server side certificate.
2. Generate a Client Certificate Signing Request or a Self-Signed Client Certificate.
In Step 1, you created a server certificate. Now, follow the same procedure to generate a client
certificate; do one of the following:
a. Create a Certificate Signing Request (CSR) and send it to a Certificate Authority for
signing. See the section “Generating a CSR and Getting It Signed by a CA” on page 175.
b. Create a certificate and sign it yourself. See the section “Generating a Self-Signed
Certificate” on page 176.
Many organizations choose to use third-party signed certificates for their HTTPS clusters, and
use self-signed certificates for their clients.
3. Modify the HTTPS cluster to request a client certificate.
a. Select the HTTPS cluster in the left frame of the Equalizer Administrative Interface and
then select menu > Change Cluster Parameters in the right frame.
b. Select the advanced flag to display advanced options.
c. Enable the certify_client flag; this tells Equalizer to request a client certificate when a
client attempts to connect to this cluster.
d. By default, the client certificate verification depth is set to 2. This number indicates the
number of levels in a certificate chain that the Equalizer will process before stopping (and
refusing the connection). This default will need to be raised if you received more than one
chained root certificate in addition to a client certificate from your Certificate Authority.
Note that this setting has an impact on performance, since SSL operations are resource
intensive.
e. By default, Equalizer requests a client certificate, but does not require the client to provide
one. Enable the require certificate flag to require that a client return a valid certificate
before connecting.
f. By default, the client’s certificate will be re-validated if the SSL connection needs to be
renegotiated. (Renegotiation is a feature of SSL, can occur for any of a number of reasons,
and may be initiated by Equalizer or the client browser.) Enable the verify once flag to tell
Equalizer not to re-evaluate the client certificate even if SSL renegotiation occurs. This can
have a positive performance impact if many SSL renegotiations are occurring during
normal operations.
g. Select commit to save your changes to the cluster definition.
For more information on creating HTTPS clusters, see Chapter 6, “Administering Virtual
Clusters”, in the Equalizer Installation and Administration Guide.
4. Install the Client Certificate on Equalizer.
Use the Equalizer Administration Interface to install the client certificate. See the section
“Installing a Server or Client Certificate for an HTTPS Cluster” on page 178.
5. Install the Client Certificate on all clients.
Import the client certificate into the client browser
’s list of certificates. On Firefox, open Too
ls
> Options > Advanced > View Certificates. On Internet Explorer, open Tools > Internet
Options > Content > Certificates. Refer to the documentation for your browser for
instructions.