How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure IG (All versions) to retrieve the user certificate and pass it to AM in the HTTP header?

Last updated Jun 8, 2021

The purpose of this article is to provide information on configuring IG to retrieve the user (X.509) certificate from the web container and pass it to AM in the HTTP header. This setup can be used if you are using IG as a reverse proxy for AM and are using the Certificate Authentication module in AM to authenticate users.


3 readers recommend this article

Configuration

Note

If SSL is terminated by a reverse-proxy or load balancer in front of IG that has been configured to pass on user certificates, IG will pass the HTTP header containing the user certificate (providing IG has not been configured to explicitly remove headers as part of a Filter configuration). Therefore, you will not need to configure IG in this scenario.

If you are using IG as the reverse proxy, you can configure IG to retrieve the user certificate from the web container and pass it to AM via the HTTP header:

  1. Ensure AM has been configured to check the HTTP header for the user certificate as detailed in How do I configure AM (All versions) to check the HTTP header for the user certificate?
  2. Configure IG to retrieve the user certificate in PEM format. The certificate(s) contained in client.certificates (certificates is a list that is never null but can be empty) are not already PEM encoded as required by AM. You can access the PEM values and pass along in a header in PEM form using a client.toJsonValue() call, as shown in the following example: ${contexts.client.toJsonValue().asMap().certificates} This will contain a PEM based string, containing all certificates found in the client context (expected to either be 0 or 1 certificates). If there are no certificates found then it returns an empty string.

Web container

You should ensure the web container in which AM and IG are deployed handles user certificates correctly. For example, for Apache Tomcat™, you should set clientAuth to "want" in the server.xml file.

See Installation in Detail for further information on configuring the web container. In particular, Configuring IG for HTTPS (Server-Side) in Tomcat for information on getting Tomcat up quickly on an SSL port.

See Also

How do I configure AM (All versions) to check the HTTP header for the user certificate?

Certificate Authentication Module

Key Extension Points

Class ClientContext

Class AbstractContext

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.