When an IAM instance is created, a key store with a self-signed server certificate is automatically generated and configured. How to use a different server certificate, seeĀ Securing Airlock IAM with HTTPS.
To enable the client-side of the mutual authentication the following property must be enabled in the appropriate instance.properties file:
Enforce SSL mutual authentication
## Possible values: REQUIRED, OPTIONAL, OPTIONAL_NO_CA, NONE iam.web-server.https.client-auth = OPTIONAL_NO_CA
Value | Explanation | Use Case |
---|---|---|
OPTIONAL_NO_CA | Client certificates are requested but may be missing CA Trust is ignored | Transaction Approval for an internal service (e.g. e-banking)
|
OPTIONAL | Client certificates are requested but may be missing CA Trust is respected | Loginapp with certificate authentication enabled
|
REQUIRED | Client certificates are mandatory | Strongly segregated transaction approval module
A REQUIRED use case scenario, securing the connection between Airlock Gateway (WAF) and IAM, is described here: Securing Airlock IAM with HTTPS |
NONE | Client certificates are not requested | None. Mutual authentication is not possible. |