Tagged: client certificates, SSL
This topic has 5 replies, 3 voices, and was last updated 4 years, 7 months ago by srastogi.
-
AuthorPosts
-
June 2, 2016 at 2:56 pm #10911
srastogi
ParticipantHi,
Does OpenAM supports machine to machine certificate authentication. If yes, is there any related document or can anyone please share the link to configure the same.
Thanks,
June 3, 2016 at 2:01 pm #10945srastogi
ParticipantAny comments on the above raised query..whether it is achievable or not..
June 3, 2016 at 4:17 pm #10950Peter Major
ModeratorI’m sure you have read the documentation already, but in case not, does this help:
https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#cert-module-conf-hints ?June 6, 2016 at 2:40 pm #11025srastogi
ParticipantThanks Peter for your response.
Currently user’s certificate based authentication we are not looking at,we want to understand OpenAM supports machine to machine certificate based authentication or not.
If so, is there any standard document or link available. Because I think in the above shared link it is most likely talking about user certificate based authentication.
June 7, 2016 at 10:38 am #11045Neil Madden
ParticipantThe short answer is “it’s complicated”, I’m afraid.
For connections from OpenAM to OpenDJ, you can configure client certificate authentication, but it was not possible to configure OpenAM to actually send a client certificate. OPENDK-2923 fixes this, but it is not yet available in any released version of OpenAM.
For OpenAM to OpenAM connections (crosstalk), you should be able to accomplish this configuring the HTTPS connector in your container to require client certificates (this is container specific). If you do not also want to require all your users to present client certificates, then you will need to configure a second HTTPS connector for inter-server communications. However, this is a much less tested configuration. You would then need to configure your server URLs to point at the new connector (running on a different port), and set the
javax.net.ssl.*
system properties to configure the client certificate. You can also set theopensso.protocol.handler.pkgs
system property tocom.sun.identity.protocol
. This will use the same JVM system properties to set the keystore, but additionally allows you to setcom.sun.identity.security.keyStore.clientAlias
to name the alias of the certificate you want to use in the case where there is more than one key in that keystore.June 7, 2016 at 2:34 pm #11049srastogi
ParticipantHi Neil,
Thanks for the update..
Is there any document available which will help us to configure the same, try once.Because I tried a lot to find some link/document related to machine to machine authentication (OpenAM authentication to any of the server) but no luck.
Thanks,
-
AuthorPosts
You must be logged in to reply to this topic.