SecurID^® Discussions

JayGuillette · ‎2022-05-05

AMIS / AM Prime allows access by external applications through a White List of IP addresses. Applications developed under Pivotal Cloud Foundry, PCF on Cloud solutions have dynamic IP addresses. While it may be acceptable to white List based on Fully Qualified Domain Name, FQDN, many customers are asking if they can use MTLS (Mutual Authentication) instead of WhiteList.

Ramesh from Professional Services / AMIS Engineering recently provided a 'how to' document on configuring MTLS.

JayGuillette · ‎2022-06-09

If AMIS configured with White List and MTLS, first the white list is checked, so only IPs or names on the white list are allowed to attempt a connection, then secondly any and all connections from this group of white listed Servers will need MTLS to connect, if no MTLS then the connection will be refused even though the IP or name is whitelisted.

One recommendation is to white List F5 Load Balancers and AMIS first (AMIS communicates to itself). Since MTLS is a global setting in server.xml, there may be no way to enable both MTLS and non-MTLS on different TCP ports on same TomCat Server (AMIS).

Official KB is here

https://community.securid.com/t5/securid-knowledge-base/how-to-configure-am-prime-amis-to-authenticate-remote/ta-p/679267 is the 1st version without the notes on whitelist combination

SecurID® Discussions

MTLS (Mutual Authentication) in AMIS instead of Application White List by IP or FQDN

SecurID^® Discussions