Certificate Authentication Module

This topic contains 4 replies, has 2 voices, and was last updated by  cs501 1 year ago.

  • Author
  • #22250


    I am configuring “Certificate Authentication Module” for my realm.
    The whole config setting looks very neat and clean except one.

    It is very clear that if there is a load-balance in front of AM, then we have to configure 2 properties
    Trusted Remote Hosts and HTTP Header Name for Client Certificate so that LB can send out the client-certificate in a particular HTTP header which will be used by AM to map it with the identity.

    There is also one more config setting i.e., “Use only Certificate from HTTP request header” which is confusing me.
    If I interpret correctly, the way it works in following order

    2-way SSL is established between client-browser and AM
    If “Use only Certificate from HTTP request header” is OFF then, AM will pull out the client-certificate using request.getAttribute(“javax.servlet.request.X509Certificate”)
    AM will use the above cert in establishing the mapping and creating the session.

    However, if “Use only Certificate from HTTP request header” is ON, then
    2-way SSL will be performed as usual between browser and AM
    But now, instead of using the client-cert that was used for 2-way SSL, AM will look for one more certificate in the incoming HTTP request header.

    Is my understanding correct ?
    If yes, that means that the client has to pack this certificate in http request.


     Peter Major 

    The “Use only Certificate from HTTP request header” setting tells AM that it should ignore the certs defined on the HTTP request and always look for the cert in the header. The only use-case I can think of is when the LB/RP would use client auth (using their own private key) to access the AM container.


    Thanks Peter. Your clarification really helps me.

    Sometime ago I requested one such similar quick clarification for “kerberos Auth Module”
    Would you please confirm if I can correct in my understanding.

    I want to know,
    would AM’s Windows Desktop SSO auth module ever need to communicate with Kerbros-KDC OR Active-Directory during the IWA Authentication flow.

    As per Kerberos protocol, there is NO such exchange defined between Service and KDC

    I just wanted to confirm that AM adheres to the Kerberos design as in my organization we can not open up KDC or AD for AM
    Our AM is in the AWS Cloud.


     Peter Major 

    Fortunately Kerberos so far has eluded me, and I never really had to learn how any of it works. I can’t answer your question.


    No problem Peter. Will wait if somebody else response.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?