AhsayOBS SSL certificates with multiple SubAdmins

Overview

A custom SSL certificate on AhsayOBS may cause issues if you use AhsayOBS SubAdmins. As SSL encryption starts before the desired hostname is indicated by the client, the SSL certificate must match without knowing the hostname.

Possible Solutions

There are a few solutions to this problem.

• You may configure the AhsayOBS/conf/server.xml file to listen to multiple IP addresses. This means you can apply a different SSL certificate on each IP address.

  • This is the approach used by MyClient to support custom domains. For more information, please see Custom Domains ».

• You may purchase an SSL certificate that crosses multiple domain names via SAN (Subject Alternative Name).

• You can use the default not-secure-company SSL certificate.

  • This solution is feasible if you must use AhsayOBS SubAdmins and only have a single IP address. The not-secure-company certificate is whitelisted by the OBM/ACB backup agent despite being for a mismatched hostname.

    The insecurity of the default not-secure-company SSL certificate arises solely from the fact that anyone can easily acquire a trial version of AhsayOBS and correspondingly, the private key for this SSL certificate, allowing them to decrypt traffic on the wire. This immediately bypasses any security benefit of using an SSL connection.

    This means the security of SSL is a pretext only; you could therefore reduce CPU load on the backup server by switching clients to unencrypted HTTP instead of SSL.

• A much better solution is to avoid using AhsayOBS SubAdmins and instead use MyClient Resellers.