Client authn. options
21.1.2. Client authentication configuration options

When an IAM instance is created, a key store with a self-signed server certificate is automatically generated and configured. How to use a different server certificate, see 8.3.3. Securing Airlock IAM with HTTPS.

To enable the client-side of the mutual authentication the following property must be enabled in the appropriate instance.properties file:

Enforce SSL mutual authentication

## Possible values: REQUIRED, OPTIONAL, OPTIONAL_NO_CA, NONE
iam.web-server.https.client-auth = OPTIONAL_NO_CA
Value
Explanation
Use Case
OPTIONAL_NO_CA
Client certificates are requested but may be missing
CA Trust is ignored
Transaction Approval for an internal service (e.g. e-banking)
  • IAM may establish direct trust to a certificate
  • The client certificate is often self-signed
  • A "User Iterator" (see below) is not required
OPTIONAL
Client certificates are requested but may be missing
CA Trust is respected
Loginapp with certificate authentication enabled
  • Client certificates are issued from a list trusted CAs
  • A "User Iterator" (see below) is strongly recommended to establish the identity
REQUIRED
Client certificates are mandatory
Strongly segregated transaction approval module
  • IAM may establish direct trust to a certificate or to certificates issued from a list of trusted CAs
  • A "User Iterator" (see below) is strongly recommended to establish the identity
  • Profiles are recommended to segregate the module that requires certificate authentication. See 7.2. Sandboxing with profiles.
A REQUIRED use case scenario, securing the connection between Airlock Gateway (WAF) and IAM, is described here: 8.3.3. Securing Airlock IAM with HTTPS
NONE
Client certificates are not requested
None. Mutual authentication is not possible.