Blog post -

Server Name Indication and Hybrid Access Gateway

SNI is an extension to TLS that has been around for a while, since 2003, but is becoming more and more important as installations become multi tenant with customers from completely different organizations.

To save resources it has for a long time been popular to host multiple applications on one application server (virtual servers). If the server is listening to one interface and one port, there is no way to differentiate between the applications based on IP and port. Therefor the hostname has been used, one server with several hostnames, and this works fine when TLS is not used. When TLS is used a certificate with the hostname needs to be presented before the application layer protocol, e.g. HTTP, comes in to play providing the host name. To solve this, one can use a wildcard certificate valid for all names hosted by the server, or one can use a certificate including a list of all hosts. The first option, wildcard certificate, e.g. *.nexusgroup.com, is a good idea if the hosting is only for one organization with names such as mail.nexusgroup.com and intranet.nexusgroup.com. When having a cloud service that hosts services for multiple customers, that is not a good enough solution. It would be possible to do it like this: customer1.nexusgroup.com and customer2.nexusgroup.com and so on. This is a solution can be see in many places, e.g. in payment service integrations. However it is not preferable as it confuses the end user that came from a different domain, e.g. customer1.com or customer2.com.

The second alternative with subject alternative names for all hosted names could work. Then a certificate with the name of all customers would be requested in one certificate, e.g. idp.customer1.com and idp.customer2.com and so on, but every time a new customer is added a new certificate would need to be requested. Since the customer owns the domain it might not even be practically possible to do it this way.

To solve this, SNI was added to TLS, it enables the connecting client to indicate the name of the server it is connecting to. And when having the target server name at the TLS level it is easy for the server to do a lookup among a list of certificates to find a matching one. For technical details on SNI see the RFC6066

Hybrid Access Gateway has previously had the option with multiple names in a certificate or wildcard certificate bound to one of its listeners. With the 5.6 release we added support for SNI in a very convenient way. Everything works as previously but at the DNS pool names it is now possible to select a certificate for a specific host name. And if none is selected it will fallback to the listener certificate.

One could imagine several useful application areas but the one closes to mind when talking about the Hybrid Access Gateway is of course hosting an IdP for multiple customers in one system. With the old branding possibilities and SNI we can create a truly seamless experience for the users without having separate installations for all customers or cumbersome interface configurations, it just works.

Topics

  • Data, Telecom, IT

Regions

  • England

Contacts

Related content

  • Six themes drive identity management in 2016

    For neXus, the leading global provider of security solutions and services, identity management will be one of the central issues in the context of IT security in 2016. The trends such as continuous flexibilization in the working environment, new forms of customer communication and the growing number of cyber-attacks are responsible for this.

  • neXus appoints new CFO

    Magnus Karlsson joins neXus as CFO on February 22, 2016, becoming a new member of the group management. Magnus succeeds Björn Johansson, who has decided to seek new challenges outside the group after nine years with neXus.

  • neXus supplies service card solutions to municipality of Ale

    Municipality of Ale has negotiated a solution for the production and administration of service cards for all its employees. The management of the municipality wanted all personnel to have secure identification that could also be used for secure login, and for access, print-on-demand etc.

  • Best Practice for Banks

    On February 12, 2016, the German financial magazine gi geldinstitute published an article about the importance of identity management for banks.

  • Identity data capture and validation is key

    This week I had the pleasure of visiting NORSIS event IDentitet 2016 in Oslo. Very well structured the event started with presentations around the capturing and validation of identity data which is fundamental for the trust in eIDs (and of course other types of credentials).

  • Explosion in IoT reveals risk of massive black market

    In a recent report Gartner predicts that by 2020 over 50% of new major business process and system will incorporate some element of the Internet of Things. From a security perspective this growth will ...

  • The SCIM standards just grew up to become RFC's

    Integrity and simplicity for both users and IT-departments just took a huge step forward on the Internet. The SCIM specifications, System for Cross-Domain Identity Management, are now published as publications by the Internet Engineering Taskforce (IETF) as RFC7643 and RFC7644. At neXus we are super proud because we have been playing a key part of the specifications.

  • Identities without borders

    ​Imagine using your Swedish electronic signature for applying for a building permit for your summer home in Spain? It can soon turn into reality as the new EU regulation eIDAS is being introduced across Europe, enabling national electronic signatures to work across borders in the union.

  • Securing banking solutions

    ​How can neXus help securing banking solutions for authentication, verification and signatures for the next generation of banking services? Meeting and attracting new customers in a disruptive banking market thru new mobile channels is a big challenge!

  • The future of eID

    eID is an electronic identification solution for citizens and organizations, accessing services by banks, government authorities and other companies.

Enter your email address to follow Nexus Group

When you choose to create a user account and follow a newsroom your personal data will be used by us and the owner of the newsroom, for you to receive news and updates according to your subscription settings.

To learn more about this, please read our Privacy Policy, which applies to our use of your personal data, and our Privacy Policy for Contacts, which applies to the use of your personal data by the owner of the newsroom you follow.

Please note that our Terms of Use apply to all use of our services.

You can withdraw your consent at any time by unsubscribing or deleting your account.
Check your inbox

Email sent to __email__. Click the link there to follow Nexus Group.

Okay