This article covers questions related to SSL/TLS secured connections; see FAQ: SSL certificate management in AM and Agents for questions related to SSL certificate management in AM and Agents.
- Q. Should I enable SSL before installing AM?
- Q. Do I need to do anything differently when installing ssoadm?
- Q. How do I make AM communicate with a secured LDAP server, such as DS?
- Q. How do I configure an agent for SSL offloading?
- Q. How do I test my SSL connection to an external resource?
- Q. How do I debug SSL connection issues?
- Q. What versions of TLS are supported by AM and the Agents?
- Q. Can I change which SSL/TLS ciphers are used by the Agents to connect to AM over SSL/TLS?
- Q. Does the Java Agent offer a separate configuration for SSL/TLS client authentication?
A. Yes, you should enable SSL before installing AM as this makes configuration a lot simpler. See Configuring AM's Container for HTTPS for further information on setting up AM with SSL if you are using Apache Tomcat™ as the deployment container.
If you have already installed AM, refer to the following articles for further information on enabling SSL:
- New install - How do I enable SSL in AM (All versions) post-install? - If this is a new install, it is preferable to reinstall AM rather than making lots of configuration changes.
- Existing installation - How do I enable SSL in AM (All versions) for an existing installation?
A. If you access the configuration store and/or AM instance using a SSL/TLS secured connection, you should include details of the truststore that contains the required certificates in the setup or setup.bat script prior to installing ssoadm and in the ssoadm or ssoadm.bat script once it is installed.
This is described in FAQ: Installing and using ssoadm in AM (Q. How do I install the ssoadm administration tool if I am using SSL?).
A. When DS uses LDAP secured access (LDAPS), you must import the DS server certificate into your AM truststore. This allows the JVM to trust the DS server certificate and enables AM to connect to the secured DS.
See Preparing a Truststore (AM 7 and later) or How do I make AM 5.x and 6.x communicate with a secured LDAP server? for further information.
- Web - How do I configure a Web Agent (All versions) for SSL offloading?
- Java - How do I configure a Java Agent (All versions) for SSL offloading?
If you use virtual hosts, the following article may also be useful: How do I configure SSL offloading at the Agent (All versions) for virtual hosts?
A. You can use the openssl third-party tool to provide information about the SSL connection as well as attempting a SSL handshake. You can run a command such as the following to provide this information:$ openssl s_client -connect [hostname:port] -showcerts
A. You can enable SSL debug logging to provide detailed SSL debugging information, including details of which truststore is being used and which certificates are included in that truststore. You can enable SSL debugging by adding the following JVM option to the web container or application server on which you have deployed AM:-Djavax.net.debug=SSL,handshake,trustmanager
The location of the SSL debug logs are specific to your web container or application server. For example, for AM deployed on Apache Tomcat, the SSL debug logs are written to catalina.out, which is located in the /path/to/tomcat/logs directory by default.
See Debugging SSL/TLS Connections for further information on SSL debugging.
A. Supported versions of TLS are determined by the web application container as well as the underlying version of Java® and OpenSSL. You should ensure you are using appropriate versions of these technologies in accordance with what is supported by your AM and/or agent versions.
See Preventing Insecure HTTP and LDAP Connections for details on setting the protocols used by AM.
- TLS v1.3:
Web agents 5.6 and later support TLSv1.3 if OpenSSL 1.1.1 or later is used. See OpenSSL Requirements for further information.
- TLS v1.2:
Both Java 8 and OpenJDK 8 support TLS v1.2 by default.
You should ensure you have installed OpenSSL 1.0.2 or greater. Additionally, you should ensure TLS v1.2 is not specified in the org.forgerock.agents.config.tls advanced encryption property that can be set in the agent.conf file.
The org.forgerock.agents.config.tls property is used to disable SSL/TLS versions. By default, only TLSv1.2 is enabled in Web Agents 5.5 and later. In Web Agents 5, you should disable weaker ciphers by specifying them with - in front. For example, the following setting only enables TLSv1.2: org.forgerock.agents.config.tls=-SSLv3 -TLSv1 -TLSv1.1
See FAQ: SSL certificate management in AM and Agents (Q. How do I configure the Web Agent for two-way SSL?) for further information on setting this property.
A. Yes, you can configure the list of ciphers that are supported as described in: Bootstrap Properties.