Setting up OpenAM for PKI (X.509) Authentication

Tagged: , ,

This topic has 5 replies, 5 voices, and was last updated 4 years, 5 months ago by tlmacal.

  • Author
  • #6556

    I am looking for concise instructions for setting up OpenAM to allow for PKI authentication (only) on my application.

    I have an application that is served up by Apache 2.4, Apache will ask my user for it’s browser-loaded PKI certificate then pass it over to OpenAM. I want OpenAM to do CRL, OSCP, and some other attribute lookup, then pass authentication data base to Apache to be used within my application.

    I have a very lean prototype working with username/password, however, I need to get it functional with PKI only.

    Am I on the correct track in my thinking of how authentication should behave? I don’t want to do anything exotic, just grab a cert from the user, check it for validity, grab some info, then head back to the app.

    I haven’t seen how I setup OpenAM to do this. I see how I can setup Tomcat to ask for PKI to log me into the OpenAM admin console, however, I haven’t seen anything for web agent clients. I assume there’s some sort of header that’s going to be set by OpenAM or something like????

     Scott Heger

    I did this type of setup years ago using OpenSSO and Sun Webserver. Not exactly your setup but the concepts are all the same and the UI of OpenSSO for the relevant parts are still the same in OpenAM. I worked with Jeff Nester, who was at Sun Microsystems at that time, on this and he put together a document that described the process of setting it up. That document can be found here:

    Hope that helps.


    For Apache fronting the OpenAM server doing the SSL authentication, use ajp:// to proxy the request to OpenAM. The authenticated client cert will be passed automatically.


    Thanks for the thoughts! Is my thinking correct how Authentication works with OpenAM and PKI?


    I am trying to achieve the same outcome by using Apache as a reverse proxy and openAM to verify the certificate CN in openDJ. I can’t find seem to find any direct instructions on how to implement.
    Are there any useful links that you guys can recommend?


    Has anyone managed to use X.509 certificates for SSO authentication with OpenAM or AM5? I haven’t seen any mention since 2015 and none of them seem to claim success.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?