FAQ
ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: SSL/TLS secured connections in AM and Agents

Last updated May 10, 2022

The purpose of this FAQ is to provide answers to commonly asked questions regarding SSL/TLS secured connections in AM and Agents.


1 reader recommends this article

Frequently asked questions

This article covers questions related to SSL/TLS secured connections; see FAQ: SSL certificate management in AM and Agents for questions related to SSL certificate management in AM and Agents.

Q. Should I enable SSL before installing AM?

A. Yes, you should enable SSL before installing AM as this makes configuration a lot simpler. See Configuring AM's Container for HTTPS for further information on setting up AM with SSL if you are using Apache Tomcat™ as the deployment container.

If you have already installed AM, refer to the following articles for further information on enabling SSL:

Q. Do I need to do anything differently when installing ssoadm?

A. If you access the configuration store and/or AM instance using a SSL/TLS secured connection, you should include details of the truststore that contains the required certificates in the setup or setup.bat script prior to installing ssoadm and in the ssoadm or ssoadm.bat script once it is installed.

This is described in FAQ: Installing and using ssoadm in AM (Q. How do I install the ssoadm administration tool if I am using SSL?).

Q. How do I make AM communicate with a secured LDAP server, such as DS?

A. When DS uses LDAP secured access (LDAPS), you must import the DS server certificate into your AM truststore. This allows the JVM to trust the DS server certificate and enables AM to connect to the secured DS.

See Preparing a Truststore (AM 7 and later) or How do I make AM 5.x and 6.x communicate with a secured LDAP server? for further information.

Q. How do I configure an agent for SSL offloading?

A. You can configure an agent for SSL offloading as described in the following articles (depending on agent type):

If you use virtual hosts, the following article may also be useful: How do I configure SSL offloading at the Agent (All versions) for virtual hosts?

Q. How do I test my SSL connection to an external resource?

A. You can use the openssl third-party tool to provide information about the SSL connection as well as attempting a SSL handshake. You can run a command such as the following to provide this information:

$ openssl s_client -connect [hostname:port] -showcerts

Q. How do I debug SSL connection issues?

A. You can enable SSL debug logging to provide detailed SSL debugging information, including details of which truststore is being used and which certificates are included in that truststore. You can enable SSL debugging by adding the following JVM option to the web container or application server on which you have deployed AM:

-Djavax.net.debug=SSL,handshake,trustmanager

The location of the SSL debug logs are specific to your web container or application server. For example, for AM deployed on Apache Tomcat, the SSL debug logs are written to catalina.out, which is located in the /path/to/tomcat/logs directory by default.

See Debugging SSL/TLS Connections for further information on SSL debugging.

Q. What versions of TLS are supported by AM and the Agents?

A. Supported versions of TLS are determined by the web application container as well as the underlying version of Java® and OpenSSL. You should ensure you are using appropriate versions of these technologies in accordance with what is supported by your AM and/or agent versions. 

TLS 1.3 is supported in Java 11, and Java 8u216 onwards. This means you can use TLS 1.3 in AM and Java Agents with these Java versions providing the web application container version you are using also supports TLS 1.3.

See Preventing Insecure HTTP and LDAP Connections for details on setting the protocols used by AM.

Web Agents 

  • TLS v1.3:

Web agents 5.6 and later support TLSv1.3 if OpenSSL 1.1.1 or later is used. See OpenSSL Requirements for further information.

  • TLS v1.2:

Both Java 8 and OpenJDK 8 support TLS v1.2 by default.

You should ensure you have installed OpenSSL 1.0.2 or greater. Additionally, you should ensure TLS v1.2 is not specified in the org.forgerock.agents.config.tls advanced encryption property that can be set in the agent.conf file.

The org.forgerock.agents.config.tls property is used to disable SSL/TLS versions. By default, only TLSv1.2 is enabled in Web Agents 5.5 and later. In Web Agents 5, you should disable weaker ciphers by specifying them with - in front. For example, the following setting only enables TLSv1.2: org.forgerock.agents.config.tls=-SSLv3 -TLSv1 -TLSv1.1

See FAQ: SSL certificate management in AM and Agents (Q. How do I configure the Web Agent for two-way SSL?) for further information on setting this property.

Q. Can I change which SSL/TLS ciphers are used by the Agents to connect to AM over SSL/TLS?

A. Yes, you can configure the list of ciphers that are supported as described in: Bootstrap Properties.

Q. Does the Java Agent offer a separate configuration for SSL/TLS client authentication?

A. No, it does not; by default it uses the HttpsURLConnection class provided by the JVM.

See Also

Java Agents, AM 5.x and 6.x fail to install on IBM WebSphere when SSL is enabled

FAQ: SSL certificate management in AM and Agents

How do I troubleshoot connection via LDAPS issues in DS (All versions)?

FAQ: SAML certificate management in AM 5.x and 6.x

FAQ: Installing and using ssoadm in AM

SSL in AM and Agents

Security Guide

Debugging SSL/TLS Connections


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.