How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure AM (All versions) to check the HTTP header for the user certificate?

Last updated Apr 13, 2021

The purpose of this article is to provide information on configuring AM to check the HTTP header for the user (X.509) certificate. This setup can be used if you are SSL offloading at a load balancer or reverse proxy in front of AM, the user certificate is passed to AM in the HTTP header (in PEM format) and the Certificate Authentication module is used to authenticate users.


1 reader recommends this article

Configuring AM

Note

If you use IG as your reverse proxy, IG will just pass the HTTP header containing the user certificate (providing you have not configured IG to explicitly remove headers as part of a Filter configuration). If however you want IG to retrieve the user certificate and pass it to AM, you will need to configure IG as detailed in How do I configure IG (All versions) to retrieve the user certificate and pass it to AM in the HTTP header?

You can configure the Certificate Authentication module to check the HTTP header for user certificates using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Authentication > Modules > [Certificate Module] and update the following fields:
    • Trusted Remote Hosts - Add the IP of the host supplying the HTTP header that contains the user certificate. You can add "any" instead of a specific IP to allow any host; however, this option is not as secure. Remove the "none" value.
    • HTTP Header Name for Client Certificate - Enter the HTTP header name for the client certificate that is inserted by the load balancer or reverse proxy. This should be the full PEM encoded certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundary lines. In between these boundary lines, there should be the Base64 encoding output of the DER encoded certificate.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthCertService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-cert-gw-cert-auth-enabled=[hostIP] sunAMHttpParamName=[header]replacing [realmname], [adminID], [passwordfile], [hostIP] and [header] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

How do I configure IG (All versions) to retrieve the user certificate and pass it to AM in the HTTP header?

Authentication and Single Sign-On Guide › Certificate Authentication Module

Gateway Guide › Processing Requests and Responses

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.