How to configure AM Prime / AMIS to authenticate remote application servers with MTLS (Mutual Authentication)
3 years ago
Article Number
000067906
Applies To
Authentication Manager Integration Services, AMIS v. 1.x  aka AM Prime
RSA SecurID Authentication Manager Server v. 8.x
Issue
Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol.
By default the TLS protocol only proves the identity of the server to the client using X.509 certificates, and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.
https://en.wikipedia.org/wiki/Mutual_authentication#mTLS

MTLS in Prime is not a "standard" configuration, Tomcat natively supports MTLS, and we have several customers running with this configuration in production. The good news is RSA supports this configuration.
 
Tasks
1. modify the SSL Connector in server.xml to include the property certificateVerification="required"
2. Copy the client certificate to /opt/rsa/primekit/certificates directory (clientcert.cer).
3. Add the client certificate to the AMIS’s trust store.
4. Restart Tomcat AMIS service
Resolution
1. modify the SSL Connector in server.xml to include the property certificateVerification="required"

Tomcat_SSL_connector

2. Copy the client certificate to /opt/rsa/primekit/certificates directory (clientcert.cer).


3. Add the client certificate to the AMIS’s trust store.

cd /opt/rsa/primekit/certificates
../java/latest/bin/keystore -import -keystore truststore.jks -file clientcert.cer -alias client1
When prompted for password, enter the trust store’s keystore password.
               Follow the above command with unique alias names to add the entire trust chain.

4. Restart Tomcat AMIS service

Refer the below article that talks about enabling 2-way authentication:
https://www.opencodez.com/java/implement-2-way-authentication-using-ssl.htm.

Sample response from Postman that doesn't include client certificate:

Error no cert
 <Error_could_not_get_response_NoCert.png>

Sample response from Postman that includes client certificate

200_OK_Body_MTLS_Cert

 <200_OK_Body_MTLS_Cert.png>

There is also a remote host valve like IP address valve. This can be included this in server.xml to whitelist hostnames.
{{<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow=".*\.mycompany\.com|www\.yourcompany\.com"/>}}

 
Notes
AMIS Whitelisting of remote Tomcat or other server connections can still be enabled with MTLS, but AMIS White List is checked first, so only IP addresses or names in the whitelist are allowed to attempt a connection, then Secondly any connections from this group of white listed Servers will need MTLS or that connection will be refused.  

Here is the article that has more information on whitelisting hostnames:
https://tomcat.apache.org/tomcat-8.5-doc/config/host.html

Discussion on SecurID Community Web pages
MTLS (Mutual Authentication) in AMIS instead of Application White List by IP or FQDN
https://community.securid.com/t5/securid-discussions/mtls-mutual-authentication-in-amis-instead-of-application-white/td-p/677469

Related Articles

Trending Articles

Don't see what you're looking for?