Server Groups
Last updated
Was this helpful?
Last updated
Was this helpful?
This section defines Server Groups: the highest level of organization within Link11 WAAP. A Server Group is based on a , and contains at least one and a .
Typically, a Server Group represents a single domain.
The main window (shown above) lists all currently defined Server Groups.
A name for this Server Group, to be used within the interface.
Information about this Server Group, to be used within the interface.
CA Certificate features will only be available if both of the following are true:
An AWS NLB (Network Load Balancer is being used. (When using a Link11 Load Balancer, contact support.)
Specifies how clients (i.e., end users) should present CA certificates for mTLS validation. Options are:
[Off] Client authentication is disabled. The system will not request CA certificates from clients.
[On] CA certificate is required for authentication. The system will request and validate CA certificates from clients.
[Optional] CA certificate is requested but not required for authentication. The system will not require clients to provide CA certificates. However, if a client does provide a certificate, it must be valid in order for its request to be accepted. If the client provides an invalid certificate (e.g., expired, revoked, or forged), the request will be blocked.
When CA Certificates are enabled, Link11 WAAP will add headers to requests before passing them to the backend.
If a CA Certificate is provided, Link11 WAAP will add it to the request header, along with these additional headers:
Header
Description
Example Value
SSL_CLIENT_VERIFY
Client certificate verification status
SUCCESS (valid) / FAILED (invalid)
SSL_CLIENT_CERT
Full client certificate in URL encoded
-----BEGIN CERTIFICATE----- ...
SSL_CLIENT_S_DN
Client's Subject Distinguished Name (DN)
CN=John Doe, O=ExampleCorp, C=US
SSL_CLIENT_I_DN
Issuer (CA) Distinguished Name (DN)
CN=Example CA, O=ExampleCorp, C=US
SSL_CLIENT_SERIAL
Unique serial number of the client certificate
1234567890ABCDEF
SSL_CLIENT_FINGERPRINT
SHA-1 fingerprint of the client certificate
5F:7C:1E:2B:...
If no certificate is provided, the following headers will be passed:
Header
Description
Example Value
SSL_CLIENT_VERIFY
Indicates no client certificate was provided
NONE
SSL_CLIENT_CERT
Empty (not passed or -)
-
SSL_CLIENT_S_DN
Empty (no subject DN since no cert exists)
-
SSL_CLIENT_I_DN
Empty (no issuer DN since no cert exists)
-
SSL_CLIENT_SERIAL
Empty (no serial number since no cert exists)
-
SSL_CLIENT_FINGERPRINT
Empty (no fingerprint since no cert exists)
-
The usage of Server Groups is explained in detail here: .
The administration (addition/deletion/editing/versioning) of these Groups follows the conventions described .
The domain to use when are issued.
The scope for this Server Group (typically this is a list of domains), specified as a regex. If this list is edited, the edits must be saved before .
The for this Server Group, with its parameters displayed for convenience.
The that this Server Group is based upon.
The for this Server Group, if any.
The for this Server Group. The Generate button will generate a new certificate.
The CA Certificate to use when enforcing mTLS for the domain (). The available certificates are those defined in the CA Certificates tab of the page.
CA Certificates have been .
