Setting up OpenAM for PKI (X.509) Authentication

Home Forums ForgeRock Products Access Management Setting up OpenAM for PKI (X.509) Authentication

Learn more about our upcoming Identity Summits

Tagged: , ,

This topic has 5 replies, 5 voices, and was last updated 4 years, 5 months ago by tlmacal.

  • Author
    Posts
  • December 16, 2015 at 1:11 am #6556
     [email protected]
    Participant

    I am looking for concise instructions for setting up OpenAM to allow for PKI authentication (only) on my application.

    I have an application that is served up by Apache 2.4, Apache will ask my user for it’s browser-loaded PKI certificate then pass it over to OpenAM. I want OpenAM to do CRL, OSCP, and some other attribute lookup, then pass authentication data base to Apache to be used within my application.

    I have a very lean prototype working with username/password, however, I need to get it functional with PKI only.

    Am I on the correct track in my thinking of how authentication should behave? I don’t want to do anything exotic, just grab a cert from the user, check it for validity, grab some info, then head back to the app.

    I haven’t seen how I setup OpenAM to do this. I see how I can setup Tomcat to ask for PKI to log me into the OpenAM admin console, however, I haven’t seen anything for web agent clients. I assume there’s some sort of header that’s going to be set by OpenAM or something like????

    December 16, 2015 at 3:11 am #6557
     Scott Heger
    Participant

    I did this type of setup years ago using OpenSSO and Sun Webserver. Not exactly your setup but the concepts are all the same and the UI of OpenSSO for the relevant parts are still the same in OpenAM. I worked with Jeff Nester, who was at Sun Microsystems at that time, on this and he put together a document that described the process of setting it up. That document can be found here: http://jeffnester.com/howtos/opensso/openSSOCACconfigWebServer7.pdf

    Hope that helps.

    December 16, 2015 at 12:33 pm #6561
     barramundi
    Participant

    For Apache fronting the OpenAM server doing the SSL authentication, use ajp:// to proxy the request to OpenAM. The authenticated client cert will be passed automatically.

    December 16, 2015 at 2:08 pm #6562
     [email protected]
    Participant

    Thanks for the thoughts! Is my thinking correct how Authentication works with OpenAM and PKI?

    July 5, 2016 at 6:21 am #11815
     mehdi.chemsi
    Participant

    I am trying to achieve the same outcome by using Apache as a reverse proxy and openAM to verify the certificate CN in openDJ. I can’t find seem to find any direct instructions on how to implement.
    Are there any useful links that you guys can recommend?
    Regards,
    Mehdi

    February 20, 2018 at 11:27 pm #20973
     tlmacal
    Participant

    Has anyone managed to use X.509 certificates for SSO authentication with OpenAM or AM5? I haven’t seen any mention since 2015 and none of them seem to claim success.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?