Secure connections

Secure communication between the agent and AM

Be aware of security breaches and vulnerabilities. Make sure your environment isn’t using outdated, insecure protocols, such as SSL 3.0, TLS 1.0, and others.

To secure communications, configure the agent to validate server certificates installed in the server where AM runs and to present a client certificate to AM. Learn more in AM’s Secure HTTP and LDAP connections.

To facilitate integration and test, Web Agent is configured by default to trust any server certificate. Test client certificates aren’t provided or configured.

To send cookies only when the communication channel is secure, set Enable Cookie Security to true.

Secure communication with OpenSSL

Unix-based agents support OpenSSL libraries. Windows-based agents can use OpenSSL or the Windows Secure Channel API (Schannel).

If you want to use OpenSSL for the IIS, ISAPI, or Windows Apache agent, configure the agent to use OpenSSL before continuing:

Make sure the OpenSSL libraries are in the correct location.
Disable Schannel by setting the Enable OpenSSL to Secure Internal Communications property to true.

Configure server certificate validation using OpenSSL

Perform the following steps to configure the agent to validate AM’s or Advanced Identity Cloud’s server certificate:

Set the Server Certificate Trust property to false.

The Server Certificate Trust property should always be false in production.
Set the CA Certificate File Name property to the filename of the CA bundle for your system. The exact location and name of the CRT file varies by operating system. For example, for Ubuntu, it’s /etc/ssl/certs/ca-certificates.crt.
Set the OpenSSL Certificate Verification Depth property to the level of certificate validation required in your environment.
Restart the agent.

Configure client certificate authentication using OpenSSL

When AM or Advanced Identity Cloud are configured to perform client authentication, you must configure the agent to present its client certificates as follows:

Create a PEM file that contains the certificate chain for the agent. For example, client-cert.pem.
Create a PEM file that contains the private key corresponding to the certificate. For example, client-private-key.pem.

Set the Public Client Certificate File Name property to the file containing the certificate chain. For example:

Unix
Windows

com.forgerock.agents.config.cert.file = /opt/certificates/client-cert.pem

com.forgerock.agents.config.cert.file = C:\Certificates\client-cert.pem

Set the Private Client Certificate File Name property to the file containing the client certificate private key. For example:

Unix
Windows

com.forgerock.agents.config.cert.key = /opt/certificates/client-private-key.pem

com.forgerock.agents.config.cert.key = C:\Certificates\client-private-key.pem

If the private key is password-protected:

Obfuscate the password using the agentadmin --p command. For example:

Unix
Windows

$ /path/to/web_agents/agent_type/bin/> agentadmin --p encryption-Key “cat certificate_password.file”
Encrypted password value: zck+6RKqjtc=

C:\path\to\web_agents\agent_type\bin> agentadmin.exe --p encryption-Key "Certificate_File_Password"
Encrypted password value: zck+6RKqjtc=

Where encryption-Key is the value of the Agent Profile Password Encryption Key property.

Set the Private Key Password property to the encrypted password value. For example:
```
com.forgerock.agents.config.cert.key.password = zck+6RKqjtc=
```

Restart the agent.

Use the agentadmin --Vi command to validate the TLS connection settings between the agent and AM or Advanced Identity Cloud.

Secure communication with Schannel

By default, IIS, ISAPI, and Apache for Windows agents use the Windows built-in Secure Channel API (Schannel). Alternatively, you can use OpenSSL as described in Secure internal communication with OpenSSL.

Before continuing, make sure the agent is configured to use Schannel:

If this is a new installation, Windows-based agents use Schannel by default.
If you’ve previously configured the IIS, ISAPI, or Apache agent to use OpenSSL libraries, set the Enable OpenSSL to Secure Internal Communications property to false.

Configure server certificate validation using Schannel

Perform the following steps to configure the agent to validate AM’s or Advanced Identity Cloud’s server certificate:

Set the Server Certificate Trust property to false.

The Server Certificate Trust property should always be false in production.
If you’re using self-signed certificates or the server certificate is issued from a new CA, add the certificates required to validate AM’s or Advanced Identity Cloud’s server certificate to the Windows certificate store. For example, to use PowerShell, add certificates to the following locations:
- Root CA certificates: add them to the Cert:\LocalMachine\Root location.
- Intermediate CA certificates: add them to the Cert:\LocalMachine\Ca location.
Restart the agent.

Configure client certificate authentication using Schannel

When AM or Advanced Identity Cloud are configured to perform client authentication, you must configure the agent to present its client certificates using one of the following methods.

The method you use depends on whether you are loading the client certificate through the Windows certificate store or through a PFX certificate:

Agent authenticates using a client certificate stored in the Windows Certificate store

Configure the agent to present its client certificate as follows:

Import the client certificate chain and private key into the Windows certificate store. For example, for PowerShell, import them to Cert:\LocalMachine\My.
Set the Public Client Certificate Friendly Name property to the friendly name of the client certificate chain. For example:
```
com.forgerock.agents.config.win.clientcert.friendly.name = agent.example.com
```
Restart the agent.

Agent authenticates using a PFX file that contains the certificate chain

Configure the agent to present its client certificate as follows:

Create a Personal Information Exchange (PFX) file that contains the certificate chain for the agent and its private key. For example, client.pfx .
Set the Public Client Certificate File Name property to the PFX file you just created. For example:
```
com.forgerock.agents.config.cert.file = C:\Certificates\client.pfx
```
Obfuscate the certificate password using the agentadmin --p command. For example:
```
C:\path\to\web_agents\agent_type\bin> agentadmin.exe --p encryption-Key "Certificate_File_Password"
Encrypted password value: zck+6RKqjtc=
```
Where encryption-Key is the value of the Agent Profile Password Encryption Key property.
Set the Private Key Password property to the encrypted password value. For example:
```
com.forgerock.agents.config.cert.key.password = zck+6RKqjtc=
```
Restart the agent.

Use the agentadmin --Vi command to validate the TLS connection settings between the agent and AM or Advanced Identity Cloud.

FIPS 140 compliance

Managing FIPS is a complicated process that requires specialist knowledge. Unless you have to be FIPS compliant, it’s best not to use FIPS mode.

Unix-based agents

The OpenSSL version is important. Web Agents operating in FIPS mode only work with OpenSSL 3.x. Currently, OpenSSL 3.1.2 is the only FIPS module that’s FIPS 140-3 validated. All other OpenSSL FIPS modules are FIPS 140-2 validated.

To achieve FIPS 140–3 compliance, configure the FIPS module using OpenSSL 3.1.2, which is a FIPS 140-3 compliant security provider. The FIPS 140-3 security provider can then be used with any OpenSSL 3.x version. Learn more in OpenSSL Downloads and OpenSSL 3.1.2 security policy.

The agent automatically enables FIPS mode when it detects that the OpenSSL FIPS security provider is configured.

You can configure the FIPS module in OpenSSL or in your operating system if your vendor provides OpenSSL 3.x and supports FIPS mode.

Find more information in these links:

fips_module in the OpenSSL documentation
FIPS README in the OpenSSL repository
Switching RHEL to FIPS mode in the RHEL documentation
FIPS 140-3 Compliance in Oracle Linux 9 in the Oracle documentation
FIPS for Ubuntu 22.04 in the Ubuntu documentation
Enabling compliance with FIPS 140-3 in the SUSE Linux documentation

Windows-based agents

Windows Servers are currently only FIPS 140-2 compliant.

To achieve FIPS 140–2 compliance, enable FIPS compliant algorithms.

The agent automatically enables FIPS mode when it detects the use of FIPS compliant algorithms.

You can configure Windows to use FIPS compliant algorithms by setting the Local Security Policy:

Go to Local Security Policy > Local Policies > Security Options > System cryptography > Use FIPS compliant algorithms for encryption, hashing, and signing and select the Enabled option.
Click Apply.

This enables FIPS mode using Schannel.

Use the agentadmin --Vi command to verify that the agent is running in FIPS mode.