Blogginlägg -

Server Name Indication and Hybrid Access Gateway

SNI is an extension to TLS that has been around for a while, since 2003, but is becoming more and more important as installations become multi tenant with customers from completely different organizations.

To save resources it has for a long time been popular to host multiple applications on one application server (virtual servers). If the server is listening to one interface and one port, there is no way to differentiate between the applications based on IP and port. Therefor the hostname has been used, one server with several hostnames, and this works fine when TLS is not used. When TLS is used a certificate with the hostname needs to be presented before the application layer protocol, e.g. HTTP, comes in to play providing the host name. To solve this, one can use a wildcard certificate valid for all names hosted by the server, or one can use a certificate including a list of all hosts. The first option, wildcard certificate, e.g. *.nexusgroup.com, is a good idea if the hosting is only for one organization with names such as mail.nexusgroup.com and intranet.nexusgroup.com. When having a cloud service that hosts services for multiple customers, that is not a good enough solution. It would be possible to do it like this: customer1.nexusgroup.com and customer2.nexusgroup.com and so on. This is a solution can be see in many places, e.g. in payment service integrations. However it is not preferable as it confuses the end user that came from a different domain, e.g. customer1.com or customer2.com.The second alternative with subject alternative names for all hosted names could work. Then a certificate with the name of all customers would be requested in one certificate, e.g. idp.customer1.com and idp.customer2.com and so on, but every time a new customer is added a new certificate would need to be requested. Since the customer owns the domain it might not even be practically possible to do it this way.

To solve this, SNI was added to TLS, it enables the connecting client to indicate the name of the server it is connecting to. And when having the target server name at the TLS level it is easy for the server to do a lookup among a list of certificates to find a matching one. For technical details on SNI see the RFC6066

Hybrid Access Gateway has previously had the option with multiple names in a certificate or wildcard certificate bound to one of its listeners. With the 5.6 release we added support for SNI in a very convenient way. Everything works as previously but at the DNS pool names it is now possible to select a certificate for a specific host name. And if none is selected it will fallback to the listener certificate.

One could imagine several useful application areas but the one closes to mind when talking about the Hybrid Access Gateway is of course hosting an IdP for multiple customers in one system. With the old branding possibilities and SNI we can create a truly seamless experience for the users without having separate installations for all customers or cumbersome interface configurations, it just works.

Ämnen

  • Datasäkerhet

Regioner

  • Dalarna

Kontakter

Lars Pettersson

CEO +46 8 685 45 60

Carolen Ytander

Presskontakt CMO +46 8 685 45 60

Marcus Persson

Regional Director Nordic +46 8 685 45 60

Relaterat innehåll

Sex teman driver identitetshantering under 2016

För neXus, internationellt ledande leverantör av säkerhetslösningar och -tjänster, är identiteshantering det centrala temat i sammanhang med IT-säkerhet under 2016. Ansvariga för detta är trender så som den fortsatta flexibiliseringen av arbetslivet, nya typer av kundkommunikation och det växande antalet cyberangrepp.

Ny CFO till neXus

Magnus Karlsson tillträder som CFO i Nexus den 22 februari 2016 och blir därmed ny medlem i koncernledningen. Magnus efterträder Björn Johansson som efter nio år i Nexus beslutat sig för att söka nya utmaningar utanför koncernen.

Ale kommun stärker säkerhet för anställda

Ale kommun har upphandlat en lösning för tillverkning och administration av tjänstekort som gäller för alla anställda. Kommunledningen ställde krav på att alla anställda skall ha en säker identifikation som också kan användas för säker inloggning samt för passage, print-on-demand etc.

neXus stärker i Mellanöstern

neXus har ingått ett distributionsavtal med Shifra, en distributör i Dubai, vilket gör det möjligt för Shifra att sälja neXus PKI-plattformar i Mellanösternregionen.

Kristinehamns kommun höjer säkerheten med dynamisk identitetshantering

Många medarbetare inom Kristinehamns kommun hanterar känslig information, t ex inom skola och vårdomsorg. Med neXus dynamiska plattform för fysisk och digital identitetshantering får kommunen fullständig kontroll på vilka som får röra sig i kommunens lokaler och därtill ha åtkomst till kommunens nätverk.

Identity data capture and validation is key

This week I had the pleasure of visiting NORSIS event IDentitet 2016 in Oslo. Very well structured the event started with presentations around the capturing and validation of identity data which is fundamental for the trust in eIDs (and of course other types of credentials).

Happy Data Privacy Day!

January 28th is the Data Privacy Day, a date that is currently observed in United States, Canada and 47 European countries.

Explosion in IoT reveals risk of massive black market

In a recent report Gartner predicts that by 2020 over 50% of new major business process and system will incorporate some element of the Internet of Things. From a security perspective this growth will be challenge from many perspectives.

WebCrypto, Invisible Token and Hybrid Access Gateway

After following the development of WebCrypto for more then three years it is awesome to see how it now slowly becomes implemented by the larger browsers. You can test your browser here.

Identities without borders

​Imagine using your Swedish electronic signature for applying for a building permit for your summer home in Spain? It can soon turn into reality as the new EU regulation eIDAS is being introduced across Europe, enabling national electronic signatures to work across borders in the union.

Securing banking solutions

How can neXus help securing banking solutions for authentication, verification and signatures for the next generation of banking services? Meeting and attracting new customers in a disruptive banking market thru new mobile channels is a big challenge!

The future of eID

eID is an electronic identification solution for citizens and organizations, accessing services by banks, government authorities and other companies.

Fyll i din epostadress för att följa Nexus Group

När du väljer att skapa ett konto och följa ett nyhetsrum kommer dina personuppgifter behandlas av oss och av ägaren av nyhetsrummet för att du ska kunna motta nyheter och uppdateringar enligt dina bevakningsinställningar.

För att läsa mer om detta, var vänlig läs vår Integritetspolicy som berör vår behandling av dina personuppgifter, och Integritetspolicy för Contacts som berör behandlingen av dina personuppgifter från ägaren av nyhetsrummet du följer.

Vänligen notera att våra Användarvillkor gäller alla våra tjänster.

Du kan dra tillbaka ditt samtycke när som helst genom att avregistrera dig eller genom att ta bort ditt konto.
Kolla din inkorg

Mejl skickat till __email__. Klicka på länken i mejlet för att följa Nexus Group.

Okej