Client authentication configuration options

When an IAM instance is created, a key store with a self-signed server certificate is automatically generated and configured. How to use a different server certificate, seeĀ Securing Airlock IAM with HTTPS.

To enable the client-side of the mutual authentication the following property must be enabled in the appropriate instance.properties file:

Enforce SSL mutual authentication

## Possible values: REQUIRED, OPTIONAL, OPTIONAL_NO_CA, NONE
iam.web-server.https.client-auth = OPTIONAL_NO_CA

Value

Explanation

Use Case

OPTIONAL_NO_CA

Client certificates are requested but may be missing

CA Trust is ignored

Transaction Approval for an internal service (e.g. e-banking)

  • IAM may establish direct trust to a certificate
  • The client certificate is often self-signed
  • A "User Iterator" (see below) is not required

OPTIONAL

Client certificates are requested but may be missing

CA Trust is respected

Loginapp with certificate authentication enabled

  • Client certificates are issued from a list trusted CAs
  • A "User Iterator" (see below) is strongly recommended to establish the identity

REQUIRED

Client certificates are mandatory

Strongly segregated transaction approval module

  • IAM may establish direct trust to a certificate or to certificates issued from a list of trusted CAs
  • A "User Iterator" (see below) is strongly recommended to establish the identity
  • Profiles are recommended to segregate the module that requires certificate authentication. See Sandboxing with profiles.

A REQUIRED use case scenario, securing the connection between Airlock Gateway (WAF) and IAM, is described here: Securing Airlock IAM with HTTPS

NONE

Client certificates are not requested

None. Mutual authentication is not possible.