How to configure BCAAA to communicate with SG via SSL

Solutions ID:    KB3678
Version:    1.0
Status:    Published
Published date:    01/27/2010

Problem Description

Your goal is to secure communication between the proxySG and BCAAA. 


Begin by downloading the version of BCAAA specific to the version of SGOS running on your ProxySG.  This is available on our support site,, under downloads.

1. Unzip and install BCAAA

2. During installation, select the option to permitted, which will allow SSL communication between the SG and BCAAA

3. Define the subject/common name of the server on which BCAAA is being installed.  This is either the IP address of the machine, or its hostname.

4. Save the automatically generated certificate in the certificate store

5. Select 'no' when asled to require the ProxySG to provide a valid certificate

6. Configure BCAAA to run as a domain user > define that user account as a network administrator that has rights to query the domain and write access to the local server.


Next, we'll need to extract the certificate generated by the BCAAA installation process and install that on the proxy. 

1. Click start > run > MMC

2. Click  file > add snap-in

3. Click Add > certificates

4. Select Service account > local computer > BCAAA

5. Click close > ok

6. in the list of certificate elements, click BCAAA\Personal, then certificates

7. Open the certificate

8 Click details > copy to file > select Base64 encoding, save file to local system

9. Open the file with notepad (or any text editor) and copy the text to your windows clipboard


Finally, we will install this certificate on the ProxySG

1. Open the management console, select the configuration tab >SSL > CA certificates

2. Click import

3. Provide a name for the new certificate, (such as BCAAA) and paste the certificate details into the box provided.  Click OK, then Apply.

4. Next, go to SSL > CA Certificates and click on the CA Certificate lists tab

5. Edit the 'Browser-trusted' CA certificate list

6. Add the 'BCAAA' certificate to the list on the right.  Click OK then Apply.


From there, you can configure your IWA or SSO authentication realm on the SG.  Be sure to enable the SSL check mark, and define the 'default' SSL device profile.


** Note - If the SG has no keyring associated with the 'default' device profile, this process will fail.  confirm this by viewing the list of device profiles at SSL > Device Profiles > Default.  If no keyring exists next to 'default', edit the default profile and select 'default' as the keyring.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question