mstrent
commented
3 years ago FYI shared our in-house solution to this in the FR support ticket linked above.
Open mstrent opened 3 years ago
mstrent
commented
3 years ago FYI shared our in-house solution to this in the FR support ticket linked above.
Background: We have an enterprise PKI and a firewall with transparent "Man in the Middle" HTTPS inspection. Clients from inside our firewall accessing HTTPS sites will be presented with a reissued certificate by the MitM signed by our internal CA, which obviously looks pretty fishy and breaks TLS unless clients trust our CA.
Main thing: We are setting up an on-prem ForgeOps environment connected to Azure for Key Vault and backups storage. The MitM breaks HTTPS to Azure. We have been able to add our enterprise CA cert to the Java truststore for most of the Forgerock stack via the Secret Agent "truststoreImportPaths" configuration. This is working just fine for DS/CTS backups to Azure storage.
However, Secret Agent itself doesn't trust our CA, which breaks Azure Key Vault connections. I don't see any OOTB way to make Secret Agent trust our CA. What would you recommend?
Duplicate of https://backstage.forgerock.com/support/tickets?id=64943 for visibility.
Thanks!