June 2, 2016 at 2:56 pm #10911
Does OpenAM supports machine to machine certificate authentication. If yes, is there any related document or can anyone please share the link to configure the same.
Thanks,June 3, 2016 at 2:01 pm #10945
Any comments on the above raised query..whether it is achievable or not..June 3, 2016 at 4:17 pm #10950Peter MajorModerator
I’m sure you have read the documentation already, but in case not, does this help:
https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#cert-module-conf-hints ?June 6, 2016 at 2:40 pm #11025
Thanks Peter for your response.
Currently user’s certificate based authentication we are not looking at,we want to understand OpenAM supports machine to machine certificate based authentication or not.
If so, is there any standard document or link available. Because I think in the above shared link it is most likely talking about user certificate based authentication.June 7, 2016 at 10:38 am #11045Neil MaddenParticipant
The short answer is “it’s complicated”, I’m afraid.
For connections from OpenAM to OpenDJ, you can configure client certificate authentication, but it was not possible to configure OpenAM to actually send a client certificate. OPENDK-2923 fixes this, but it is not yet available in any released version of OpenAM.
For OpenAM to OpenAM connections (crosstalk), you should be able to accomplish this configuring the HTTPS connector in your container to require client certificates (this is container specific). If you do not also want to require all your users to present client certificates, then you will need to configure a second HTTPS connector for inter-server communications. However, this is a much less tested configuration. You would then need to configure your server URLs to point at the new connector (running on a different port), and set the
javax.net.ssl.*system properties to configure the client certificate. You can also set the
opensso.protocol.handler.pkgssystem property to
com.sun.identity.protocol. This will use the same JVM system properties to set the keystore, but additionally allows you to set
com.sun.identity.security.keyStore.clientAliasto name the alias of the certificate you want to use in the case where there is more than one key in that keystore.June 7, 2016 at 2:34 pm #11049
Thanks for the update..
Is there any document available which will help us to configure the same, try once.Because I tried a lot to find some link/document related to machine to machine authentication (OpenAM authentication to any of the server) but no luck.
You must be logged in to reply to this topic.