Client Certificate Authentication for ForgeRock IDM behind Ingress

This topic has 1 reply, 1 voice, and was last updated 6 days, 19 hours ago by rasarkar.

  • Author
    Posts
  • #27591
     rasarkar
    Participant

    I have ForgeRock IDM configured for client certificate authentication for a particular service. ForgeRock stack is deployed on a K8s cluster. If I try to authenticate using client certificate using the POD or service URLs it works fine and gives me a desired response.

    As soon as I try to do that using the nginx ingress URL it stops working resulting in a 502 Error. The ingress logs show:

    2020/02/11 13:07:36 [error] 7285#7285: *8030939 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
    2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] sticky.lua:134: balance(): failed to get new upstream; using upstream nil while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
    2020/02/11 13:07:36 [warn] 7285#7285: *8030939 [lua] balancer.lua:269: balance(): no peer was returned, balancer: sticky_balanced while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://10.246.226.91:8444/openidm/info/login", host: "sample.domain.com"
    2020/02/11 13:07:36 [crit] 7285#7285: *8030939 connect() to 0.0.0.1:80 failed (22: Invalid argument) while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"
    2020/02/11 13:07:36 [warn] 7285#7285: *8030939 upstream server temporarily disabled while connecting to upstream, client: 10.246.226.47, server: sample.domain.com, request: "GET /openidm/info/login HTTP/2.0", upstream: "https://0.0.0.1:80/openidm/info/login", host: "sample.domain.com"

    I tried enabling client certificate authentication on Ingress level but that breaks other APIs that does not require a client certificate authentication.

    Is there a way in which Ingress won’t try to do a certificate authentication but will pass the certificate to the application so that the application can take care of the certificate authentication.

    #27595
     rasarkar
    Participant

    @charan-mann Requesting your assistance here

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?