SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000067906
Applies To
Authentication Manager Integration Services, AMIS v. 1.x aka AM Prime
RSA SecurID Authentication Manager Server v. 8.x
RSA SecurID Authentication Manager Server v. 8.x
Issue
Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol.
By default the TLS protocol only proves the identity of the server to the client using X.509 certificates, and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.
https://en.wikipedia.org/wiki/Mutual_authentication#mTLS
MTLS in Prime is not a "standard" configuration, Tomcat natively supports MTLS, and we have several customers running with this configuration in production. The good news is RSA supports this configuration.
By default the TLS protocol only proves the identity of the server to the client using X.509 certificates, and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication. As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.
https://en.wikipedia.org/wiki/Mutual_authentication#mTLS
MTLS in Prime is not a "standard" configuration, Tomcat natively supports MTLS, and we have several customers running with this configuration in production. The good news is RSA supports this configuration.
Resolution
1. modify the SSL Connector in server.xml to include the property certificateVerification="required"
Image description
2. Copy the client certificate to /opt/rsa/primekit/certificates directory (clientcert.cer).
3. Add the client certificate to the AMIS’s trust store.
cd /opt/rsa/primekit/certificates
../java/latest/bin/keystore -import -keystore truststore.jks -file clientcert.cer -alias client1
When prompted for password, enter the trust store’s keystore password.
Follow the above command with unique alias names to add the entire trust chain.
4. Restart Tomcat AMIS service
Refer the below article that talks about enabling 2-way authentication:
https://www.opencodez.com/java/implement-2-way-authentication-using-ssl.htm.
Sample response from Postman that doesn't include client certificate:
Image description
<Error_could_not_get_response_NoCert.png>
Sample response from Postman that includes client certificate
Image description
<200_OK_Body_MTLS_Cert.png>
There is also a remote host valve like IP address valve. This can be included this in server.xml to whitelist hostnames.
{{<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow=".*\.mycompany\.com|www\.yourcompany\.com"/>}}
Image description2. Copy the client certificate to /opt/rsa/primekit/certificates directory (clientcert.cer).
3. Add the client certificate to the AMIS’s trust store.
cd /opt/rsa/primekit/certificates
../java/latest/bin/keystore -import -keystore truststore.jks -file clientcert.cer -alias client1
When prompted for password, enter the trust store’s keystore password.
Follow the above command with unique alias names to add the entire trust chain.
4. Restart Tomcat AMIS service
Refer the below article that talks about enabling 2-way authentication:
https://www.opencodez.com/java/implement-2-way-authentication-using-ssl.htm.
Sample response from Postman that doesn't include client certificate:
Image description<Error_could_not_get_response_NoCert.png>
Sample response from Postman that includes client certificate
Image description<200_OK_Body_MTLS_Cert.png>
There is also a remote host valve like IP address valve. This can be included this in server.xml to whitelist hostnames.
{{<Valve className="org.apache.catalina.valves.RemoteHostValve"
allow=".*\.mycompany\.com|www\.yourcompany\.com"/>}}
Notes
Here is the article that has more information on whitelisting hostnames:
https://tomcat.apache.org/tomcat-8.5-doc/config/host.html
Discussion on SecurID Community Web pages
MTLS (Mutual Authentication) in AMIS instead of Application White List by IP or FQDN
https://community.securid.com/t5/securid-discussions/mtls-mutual-authentication-in-amis-instead-of-application-white/td-p/677469
https://tomcat.apache.org/tomcat-8.5-doc/config/host.html
Discussion on SecurID Community Web pages
MTLS (Mutual Authentication) in AMIS instead of Application White List by IP or FQDN
https://community.securid.com/t5/securid-discussions/mtls-mutual-authentication-in-amis-instead-of-application-white/td-p/677469
In this article
