Configure Two-Way SSL Authentication

Two-way SSL authentication relies on the server and client to authenticate and validate each other before establishing a connection. Cloud Gateway is treated as the Server and IdentityIQ is its client.

Examples of two-way SSL authentication certificates:

root-ca.cnf example:

[root_ca]

basicConstraints = critical,CA:TRUE,pathlen:1

keyUsage = critical, nonRepudiation, cRLSign, keyCertSign

subjectKeyIdentifier=hash

server.cnf example:

[server]

authorityKeyIdentifier=keyid,issuer

basicConstraints = critical,CA:FALSE

extendedKeyUsage=serverAuth, clientAuth

keyUsage = critical, digitalSignature, keyEncipherment

subjectAltName = DNS:<FQDN for Cloud Gateway machine>, DNS:<name of machine>, IP:<IP of cloud gateway machine

subjectKeyIdentifier=hash

Note

  • SailPoint recommends that you use the openssl utility to create the root and CIB certificate for self-singed certificates.

  • Modify the subjectAltName value in the server.cnf if you have the FQDN of the CIB Server.

Perform the following steps to generate a self-signed certificate for two-way SSL authentication:

  1. Modify the openssl.cnf file based on the following example:

    Copy 
    [ req ]
    #default_bits = 2048
    #default_md = sha256
    #default_keyfile = privkey.pem
    distinguished_name = req_distinguished_name
    attributes = req_attributes

    [ req_distinguished_name ]
    countryName = IN
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = MHA
    localityName = mumbai
    0.organizationName = SailPoint1
    organizationalUnitName = tomcat
    commonName = localhost
    commonName_max = 64
    emailAddress = iinamdar1@gmail.com
    emailAddress_max = 64

    [ req_attributes ]
    challengePassword = A challenge password
    challengePassword_min = 4
    challengePassword_max = 20

  2. Configure the server (Cloud Gateway):

    1. Create your own root CA:

      openssl genrsa -out "root-ca.key" 4096

      openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256

      openssl x509 -req -days 3650 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca

    2. Create a CIB server certificate:

      openssl genrsa -out "server.key" 4096

      openssl req -new -key "server.key" -out "server.csr" -sha256

      openssl x509 -req -days 750 -in "server.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "server.crt" -extfile "server.cnf" -extensions server

      The cibcertdetails.txt file is created by copying the content of the server.key file followed by a new line containing the content of the server.crt file.

      To create a CIB server certificate with a private key, create cibcertdetails.txt by copying the content of the server.key file followed by a new line content of server.crt:

      openssl pkcs12 -export -name server -in cibcertdetails.txt -out servercib.p12

      Note
      You can edit any of the files in this step by opening them in a text editor.

    3. Create the Tomcat server's key pair:

      openssl genrsa -out tomcat-server.key 2048

      #Use common name = <Give IP address>, department = SPCSR

      openssl req -new -sha256 -key tomcat-server.key -out tomcat-server.csr -config openssl.cnf

      File name along with the path to the configuration file:

      openssl x509 -req -sha256 -days 36520 -in tomcat-server.csr -signkey tomcat-server.key -CA im-tomcat-root-ca.crt -CAkey im-tomcat-

      root-ca.key -CAcreateserial -out tomcat-server.crt

      openssl pkcs12 -export -name im-tomcat-server-cert -in tomcat-server.crt -out tomcat-server.p12 -inkey tomcat-server.key -CAfile im-

      tomcat-root-ca.crt -caname im-root -chain

      Note

      If the error message Error self signed certificate getting chain displays after entering the above command, perform the following steps:

      1. Copy your private key and SSL certificate to a plain text file. The private key must come first in the file, followed by the SSL certificate. This order is required.

      2. Run the following openssl command:

        openssl pkcs12 -export -name im-tomcat-server-cert -in <Your_filename>.txt -out <Your_filename>.p12

      3. You should be prompted to enter the password. Enter your password and verify it in the next prompt.

        The new PKCS12 file can be found in the directory where the openssl command was executed if the location is not specified.

        keytool -importkeystore -destkeystore tomcat-server.jks -srckeystore tomcat-server.p12 -srcstoretype pkcs12 -alias im-tomcat-server-cert
        keytool -import -alias im-root -keystore tomcat-server.jks -trustcacerts -file im-tomcat-root-ca.crt

    4. Import the root certificate and the CIB server certificate to the cacerts file of the CIB server. Then, copy that cacerts file into the CIB Tomcat keystore/cacerts path:

      keytool -import -alias im-root -keystore cacerts -trustcacerts -file root-ca.crt -storetype jks

      keytool -importkeystore -destkeystore cacerts -srckeystore servercib.p12 -srcstoretype pkcs12 -alias server -storetype jks

  3. Configure the client (IdentityIQ):

    1. Import the root certificate and the CIB server certificate to the java truststore (cacerts):

      keytool -import -alias server -keystore cacerts -trustcacerts -file server.crt

      keytool -import -alias root-ca -keystore cacerts -trustcacerts -file root-ca.crt

    2. Create a client-side key pair:

      openssl genrsa -out tomcat-client.key 2048

      Use common name = <Machine hostname or IP>, department = TomcatCSR

      openssl req -new -sha256 -key tomcat-client.key -out tomcat-client.csr -config openssl.cnf

      File name along with the path to the configuration file:

      openssl x509 -req -sha256 -days 36520 -in tomcat-client.csr -signkey tomcat-client.key -CA im-tomcat-root-ca.crt -CAkey im-tomcat-root-ca.key -CAcreateserial -out tomcat-client.crt

      openssl pkcs12 -export -name im-tomcat-client-cert -in tomcat-client.crt -out tomcat-client.p12 -inkey tomcat-client.key -CAfile im-tomcat-root-ca.crt -caname im-root -chain

      Note

      If the error message, Error:self-signed certificate is getting chain, displays after entering the above command, perform the following steps:

      1. Copy your private key and SSL certificate to a plain text file. The private key must come first in the file, followed by the SSL certificate. This order is required.

      2. Run the following openssl command:

        openssl pkcs12 -export -name im-tomcat-server-cert -in <Your_filename>.txt -out <Your_filename>.p12

      3. You should be prompted to enter the password. Enter your password and verify it in the next prompt.

        The new PKCS12 file can be found in the directory where the openssl command was executed if the location is not specified.

        Run this once the client certificate is generated in the Server's truststore/keystore directory:

        keytool -importkeystore -alias im-tomcat-client-cert -srckeystore tomcat-client.p12 - srcstoretype PKCS12 -destkeystore tomcat-server.jks-deststoretype JKS

  4. Configure Tomcat in the server (Cloud Gateway):

    1. Add the following to the server.xml file of the Cloud Gateway server's Tomcat instance:

      Copy 
      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
      keystoreFile="/Users/firstname.lastname/work/CertificateSSL/CA/tomcat-server.jks"
      keystorePass="changeit"
      keyAlias="im-tomcat-server-cert"
      truststoreFile="/Users/firstname.lastname/work/CertificateSSL/CA/tomcat-server.jks"
      truststorePass="changeit"
      clientAuth="true"
      sslProtocol="TLS" />

    2. Open the tomcat-client.crt file and tomcat-client.key file in a text editor. Copy and paste the content from the Cloud Gateway Application configuration page under the text Client Certificate and Client Key respectively.

    3. Select Enable Client Certificate Authentication.

      1. Add the Client Certificate by copying the contents from tomcat-client.crt.

      2. Add the respective client private key (tomcat-client.key).

        Note
        By default, Cloud Gateway Two-Way SSL authentication is disabled.

    4. Check the keystore entry for the server.xml file in the CIB server:

      Copy 
      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
         maxThreads="150" SSLEnabled="true" server="Apache"
           scheme="https" secure="true"
           keystoreFile="keystore/cacerts" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS">
      </Connector>

  5. Configure Tomcat in the client (IdentityIQ). Import the CIB server.crt and root cert in IdentityIQ java truststore (cacerts).

    keytool -import -alias root-ca -keystore cacerts -trustcacerts -file root-ca.crt

    keytool -import -alias server -keystore cacerts -trustcacerts -file server.crt

  6. Restart the server and the client.