Child pages
  • OpenIDM Client_Cert Auth Module and Jetty wantClientAuth Setting Dependency
Skip to end of metadata
Go to start of metadata

Brief :

OpenIDM comes with Client_Cert Auth Module. This module provides authentication by validating a client certificate, transmitted via an HTTP request. The criteria compares the subject DN of the request certificate with the subject DN in the configuration of the module.

To make use of this module, it requires 3 files to be configured.

Three files that matter

  1. <idm-home>/conf/jetty.xml
  2. <idm-home>/conf/boot/
  3. <idm-home>/conf/authentication.json

Description of each file/configuration 

  1. jetty.xml : This is where you will configure jetty's <wantClientAuth> property to request Client Cert. This is a must and should be set to True, else the Client_Cert Auth Module cannot access  the client's certificate.
  2. : Client_Cert Auth Module checks for the port in the request and it should match the port set in this file under setting <openidm.auth.clientauthonlyports>. If port set in this file does not match the port that the request came to, then authentication will fail.
  3. authentication.json : This is where the Client_Cert Auth Module is enabled and other properties are configured. Important of which is the "allowedAuthenticationPatterns"

Sample Config (relevant portions only):

1. jetty.xml

<Set name="wantClientAuth">true</Set>



3. authentication.json

{ "name" : "CLIENT_CERT",

"properties" : {

"queryOnResource" : "security/truststore",

"defaultUserRoles" : [ "openidm-cert" ],

"allowedAuthenticationIdPatterns" : [ "CN=johndoe, O=fooOrg, OU=fooOU, L=None, ST=None, C=None" ] },

"enabled" : true }

4. Curl Sample

#curl  --cacert self-signed.crt --cert-type PEM 

--key key.pem --key-type PEM 
--tlsv1 --cert /path/to/./cert.pem
--header "X-OpenIDM-Username: anonymous" --header "X-OpenIDM-Password: anonymous"
--request GET https://localhost:8444/openidm/info/ping

References :

X.509 Authentication: Including SmartCards