Content Gateway Help
Websense Content Gateway v7.5

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working With Encrypted Data > Validating certificates

As part of forwarding outbound traffic, SSL Manager checks the certificates of the destination server. Use these tabs to configure certificate validation and to specify what to do in the case of invalid certificates.
Related topics:
1.
Navigate to the page Configure > SSL > Validation > General.
2.
Select or clear Enable the Certificate Verification Engine to enable or disable verifying certificates and checking for certificate revocation. If this option is not selected, checking does not occur. It is recommended that, at initial installation, you accept the default and keep the certificate verification engine disabled, and monitor traffic through your network. After a period, you can then enable this feature and specify how SSL Manager should process frequently accessed sites by creating incidents. See Managing Web HTTPS site access, for additional information.
Important 
If you disable the certificate verification engine, you need to provide information only on the following pages:
*
Configure > SSL > Decryption / Encryption > Inbound
*
Configure > SSL > Decryption / Encryption > Outbound
*
Configure > SSL > Logging pages
*
Configure > SSL > Customization > Connection Error
3.
Select Deny Certificates where the common name does not match the URL to define how the proxy handles those cases where the common name of the certificate does not match the URL of the Web server. For example, a certificate from www.company.com does not match the URL www.company.de.
4.
Select Allow wildcard certificates if you want to accept a single certificate for an entire domain. This means that individual servers within that domain are not verified; they are all included because of the wildcard.
5.
Select No expired or not yet valid certificates to deny access to sites whose certificates fit that criteria. If this box is not selected, access to those sites is permitted.
Note 
Self-signed certificates (certificates without an official certificate authority) are considered invalid and belong in this category.
6.
Select Verify entire certificate chain to verify all certificates between a certificate and its root certificate authority.
7.
Select Check certification revocation by CRL to use certificate revocation lists (CRLs) to check a certificate's revocation state.
8.
Select Check certification revocation by OCSP to use the Online Certificate Status Protocol to check a certificate's revocation state. Currently, OCSP is not used as widely as CRLs, so it is recommended that you indicate CRL in this field and use OCSP as a backup to CRLs.
Note 
Certification revocation lists are used far more widely. It is recommended that you use OCSP in addition to, rather than instead of, CRLs. See Keeping revocation information up to date for more information on CRLs and OCSP.
9.
If you enable checking by both CRLs and OCSP, indicate which method SSL Manager should use first for revocation checking.
10.
Indicate whether access should be permitted or denied to sites whose certificate revocation status cannot be determined. If this option is selected, access is also denied to sites whose certificates do not contain CRL or OCSP information. You can see this information when you select a certificate authority and choose view certificate. See View a certificate for details. This can result in a highly restrictive security policy, with many access denials. You can allow for exceptions by using the incident list to manage access to Web sites. See Managing Web HTTPS site access.
11.
For troubleshooting purposes, you can run an external program on incidents. An incident is logged whenever a client receives an access denied message. See Managing Web HTTPS site access for more information on incidents. Enter the path to the script in this field.
It is recommended that you copy and paste for following script for help in troubleshooting. It captures the following pieces of information and writes them to a file.
Important 
It is recommended that you do not enter any of the other commands in the /opt/WCG/sxsuite/bin/ directory in this field, and that you exercise caution if you enter a script other than the one provided above.


Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working With Encrypted Data > Validating certificates