Openam supports machine to machine certificate authentication or not

Home Forums ForgeRock Products Access Management Openam supports machine to machine certificate authentication or not

Learn more about our upcoming Identity Summits

Tagged: ,

This topic has 5 replies, 3 voices, and was last updated 6 years, 3 months ago by srastogi.

  • Author
    Posts
  • June 2, 2016 at 2:56 pm #10911
     srastogi
    Participant

    Hi,

    Does OpenAM supports machine to machine certificate authentication. If yes, is there any related document or can anyone please share the link to configure the same.

    Thanks,

    June 3, 2016 at 2:01 pm #10945
     srastogi
    Participant

    Any comments on the above raised query..whether it is achievable or not..

    June 3, 2016 at 4:17 pm #10950
     Peter Major
    Moderator

    I’m sure you have read the documentation already, but in case not, does this help:
    https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#cert-module-conf-hints ?

    June 6, 2016 at 2:40 pm #11025
     srastogi
    Participant

    Thanks Peter for your response.

    Currently user’s certificate based authentication we are not looking at,we want to understand OpenAM supports machine to machine certificate based authentication or not.

    If so, is there any standard document or link available. Because I think in the above shared link it is most likely talking about user certificate based authentication.

    June 7, 2016 at 10:38 am #11045
     Neil Madden
    Participant

    The short answer is “it’s complicated”, I’m afraid.

    For connections from OpenAM to OpenDJ, you can configure client certificate authentication, but it was not possible to configure OpenAM to actually send a client certificate. OPENDK-2923 fixes this, but it is not yet available in any released version of OpenAM.

    For OpenAM to OpenAM connections (crosstalk), you should be able to accomplish this configuring the HTTPS connector in your container to require client certificates (this is container specific). If you do not also want to require all your users to present client certificates, then you will need to configure a second HTTPS connector for inter-server communications. However, this is a much less tested configuration. You would then need to configure your server URLs to point at the new connector (running on a different port), and set the javax.net.ssl.* system properties to configure the client certificate. You can also set the opensso.protocol.handler.pkgs system property to com.sun.identity.protocol. This will use the same JVM system properties to set the keystore, but additionally allows you to set com.sun.identity.security.keyStore.clientAlias to name the alias of the certificate you want to use in the case where there is more than one key in that keystore.

    June 7, 2016 at 2:34 pm #11049
     srastogi
    Participant

    Hi Neil,

    Thanks for the update..

    Is there any document available which will help us to configure the same, try once.Because I tried a lot to find some link/document related to machine to machine authentication (OpenAM authentication to any of the server) but no luck.

    Thanks,

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?