Application / Server Configuration
The main nevisFIDO configuration is specified in a file in standard YAML format. You find the file in the instance directory: /var/opt/nevisfido/<instance>/conf/nevisfido.yml
.
The nevisFIDO component will fail to start if incorrect configuration is provided. Observe the logs to obtain more detailed information regarding the issue. This applies to known configuration properties, unknown properties are simply ignored and do no lead to a startup failure.
It is possible to replace the configuration by supplying a custom --config
location in the RUN_ARGS
environment variable in the env.conf
file of the instance.
Some property values are expressions that will be replaced. The next list shows the available syntax:
${exec:command}
Executes the given command and uses its output as the value.
Example:
server.host: ${exec:hostname -f}
${env:variablename}
Uses the value of the specified environment variable.
Example:
server.host: ${env:HOSTNAME}
Server Configuration
The server configuration defines the configuration of the main web server.
server.port
Web application port. If not specified, the default value is 8080.
server.host
Network address to which the server must bind. By default, it binds to all available interfaces (that is, "0.0.0.0").
server.protocol
Either
http
orhttps
. It is advisable to always run nevisFIDO inhttps
mode. Refer to theserver.tls
settings for configuring TLS if set tohttps
.server.connection-timeout
The time after which idle connections will be terminated. The default value is 30 seconds. If no time unit is provided, seconds will be used.
server.tls.keystore
Path to the keystore that holds the TLS certificate of nevisFIDO.
server.tls.keystore-passphrase
Password used to access the keystore and the key. Use the mechanisms described in Application Configuration to avoid providing a plaintext password.
server.tls.keystore-type
Defines the type of keystore. It is recommended using a "pkcs12" type of keystore. If not specified, the system will use the default keystore type of the Java Virtual Machine that runs nevisFIDO.
server.tls.key-alias
Alias that identifies the key in the keystore.
server.tls.require-client-auth
true
if client authentication (2-way TLS) is required for the TLS connection,false
if no client authentication is required.server.tls.truststore
Path to the truststore that holds the TLS certificates (typically a PKCS12 file) that nevisFIDO trusts. These are the certificates presented by the client when doing client authentication.
server.tls.truststore-passphrase
Password used to access the truststore contents. Use the mechanisms described in Application Configuration to avoid providing a plaintext password.
server.tls.truststore-type
Defines the type of truststore. It is recommended using a "pkcs12" type of keystore. If not specified, the system will use the default keystore type of the Java Virtual Machine that runs nevisFIDO.
server.tls.supported-protocols
Provides a list of protocols that are accepted by the client when trying to initiate a connection with TLS. This attribute must be provided as an array. By default only
TLSv1.2
is supported.server.tls.cipher-suites
Provides a list of ciphers that are accepted by the client when trying to initiate a connection with TLS. This attribute must be provided as an array. The default cipher suites are:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
server:
port: 9443
host: localhost
protocol: https
connection-timeout: 30s
tls:
keystore: conf/nevisfido-server-keystore.p12
keystore-passphrase: password
keystore-type: pkcs12
key-alias: nevisfido
supported-protocols:
- TLSv1.2
cipher-suites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Management Configuration
Configuration of liveness and readiness probes.
The configuration described in this section are experimental and can change in future releases.
management.server
Main node of the management server configuration properties.
management.server.port
Port where the management server listens. Currently this includes the readiness probe.
management.healthchecks
Main node for health probe configurations.
management.healthchecks.enabled
Enables liveness and readiness probes.
management:
server:
port: 9452
healthchecks:
enabled: false
Credential Repository Configuration
The credential repository holds the registered credentials. nevisFIDO needs access to this repository to be able to perform the following actions:
- Adding credentials.
- Reading credentials.
- Removing credentials.
You specify the configuration of the credential repository with the credential-repository
attribute:
credential-repository
The root node of the credential repository configuration.
credential-repository.type
Defines the type of the credential repository. Currently, you can configure two types of credential repositories, the in-memory and the nevisIDM types of credential repository.
In-Memory Credential Repository
In case of an in-memory type of credential repository, the registered credentials are stored in the memory. The registered credentials will be lost when you stop nevisFIDO. This type of credential repository is therefore mainly used for testing purposes.
To define an in-memory type of credential repository, set the value of the type
attribute to "in-memory". The in-memory repository does not have additional configuration options.
credential-repository:
type: in-memory
Do not use actively in production setups.
nevisIDM Credential Repository
In case of a nevisIDM type of credential repository, the FIDO UAF credentials are stored in nevisIDM.
If you select this type of repository, nevisFIDO needs key material to connect to nevisIDM. The connection is based on TLS Client Authentication. This means that both parties require a correctly set up private key and public certificate to be able to trust each other. The public certificate of nevisIDM has to be imported into nevisFIDO’s truststore and vice versa.
nevisFIDO has 60 seconds to establish connections to and execute requests with nevisIDM before a timeout will occur.
To define a nevisIDM type of credential repository, set the value of the type
attribute to "nevisidm".
The nevisIDM credential repository has the following additional configuration attributes:
rest-url
Defines the URL pointing to the root endpoint of the nevisIDM REST API. For example:
https://nevisidm.siven.ch:8443/nevisidm
. Configuring the REST URL is required.keystore
Defines the path to the keystore holding the nevisFIDO client certificate. nevisIDM must have a technical user whose certificate credential contains the public key of this nevisFIDO client certificate.
keystore-passphrase
Sets the password of the keystore. It is assumed that this keystore password can be used to access the key. Use the mechanisms described in Application Configuration to avoid providing a plaintext password.
keystore-type
Defines the type of keystore. A "pkcs12" type of keystore is recommended. Using the legacy Java key-/truststore "jks" is also possible. If you do not specify this attribute, the system will use the default keystore type of the Java Virtual Machine that runs nevisFIDO.
truststore
Path to the truststore containing the nevisIDM public key.
truststore-passphrase
Defines the password used to access the truststore. Use the mechanisms described in Application Configuration to avoid providing a plaintext password.
truststore-type
Defines the type of truststore. A "pkcs12" truststore type is recommended. Using the legacy Java key-/truststore "jks" is also possible. If you do not specify this attribute, the system will use the default truststore type of the Java Virtual Machine that runs nevisFIDO.
client-id
Specifies the ID of the nevisIDM client that contains the relevant data. Configuring the client ID is required.
user-attribute
Specifies how the
username
provided by the client applications is mapped to a user in nevisIDM. The user will be looked up in nevisIDM based on the provided information, if not found the operation will be aborted immediately. The allowed values areextId
, andloginId
. If not defined, theextId
attribute is used as value of the attribute.For UAF the username is provided in the context of the
GetUAFRequest
( for registration , authentication and deregistration). For FIDO2, the username is provided in theOptionsRequest
for registration and authentication.connection-keepalive
(String, optional, 10)Connection keepalive in seconds to use when no
Keep-Alive
policy in the HTTP header is specified.connection-timeout
(String, optional, 30)The HTTP client connection timeout value in seconds. With the default value of
30
seconds. The connection timeout defines how long the communication between a client and a server is allowed to take. The property is applied to the following: connecting to the specified url (connection timeout), receiving response from the target (socket timeout).connection-pool-max-total
(Integer, optional, 50)The maximum number of total open connections in the connection pool.
connection-pool-max-per-route
(Integer, optional, 50)The maximum number of connections per route in the connection pool.
connection-pool-timeout
(Integer, optional, 0)The HTTP client pool keep-alive timeout value in seconds. With the default value of 0 there is no timeout (Infinite). The pool will actively close idle connections when the timeout is reached.
The username mapper is experimental and there are no guarantees that it will be kept in the future.
credential-repository:
type: nevisidm
rest-url: https://nevisauth-fido-test1.zh.nevis-security.com:8443/nevisidm
keystore: /var/opt/nevisfido/default/conf/keystore.p12
keystore-passphrase: password
keystore-type: pkcs12
truststore: /var/opt/nevisfido/default/conf/truststore.p12
truststore-passphrase: password
truststore-type: pkcs12
client-id: 100
user-attribute: loginId
Session Repository Configuration
Sessions managed by nevisFIDO are stored either in the memory or in a (MariaDB) SQL database.
You specify the configuration of the session storage with the session-repository
attribute:
session-repository
The root node of the session repository configuration.
session-repository.type
The type of the session repository. The default value is "in-memory".
In-Memory Session Repository
The in-memory session repository is selected by setting "in-memory" as the repository type
. This type of session repository has no other configuration options.
session-repository:
type: in-memory
The in-memory session repository is the default. It will also be selected if the above configuration is omitted.
We recommend only using in-memory for development and testing purposes. Use the SQL session repository for production setups.
SQL Session Repository
The SQL session repository is selected by configuring "sql" as the repository type
. nevisFIDO comes bundled with MariaDB and PostgreSQL client capability. MariaDB and PostgreSQL are the officially supported SQL storage backend.
The SQL session repository needs a JDBC URL for locating the database, and a user and password for authentication. nevisFIDO will automatically initially generate the required tables in the specified database (no patches are applied later). It is recommended to create a dedicated MariaDB database to store the nevisFIDO session information. The required attributes are:
jdbc-url
The JDBC URL to the database.
Examples:
- jdbc:mariadb://localhost:3306/db?autocommit=true
- jdbc:postgresql://localhost:5432/db
For more information visit the official connection parameter documentation for MariaDB and PostgreSQL
user
The user name needed to access the database.
password
The password needed to access the database. Use the mechanisms described in Application Configuration to avoid providing a plaintext password.
schema-user
The user name of the user who creates the schema and the tables in the database. If you do not provide a schema user here, the system will use the user specified in the attribute
user
to create the schema. However, it is recommended having different users for creating the schema and for accessing the data.
If you do not set the schema-user
attribute, do not set the schema-user-password
attribute either. Otherwise the system will throw an error. This is because the system takes the user
as fallback if no schema-user
is provided. If in this case both the password attributes schema-user-password
and password
are set, there are two passwords available for the user
attribute, which is ambiguous.
schema-user-password
The password of the
schema-user
, that is, the user who creates the schema and the tables in the database. If you do not provide the schema user password, the system takes the password specified in the attributepassword
as fallback. Use the mechanisms described in Application Configuration to avoid providing a plaintext password.automatic-db-schema-setup
If set to
true
, the tables used to store the session data will be created automatically by nevisFIDO when they are missing. Note that it will not apply patches on existing tables. For non-docker-based setups, those patches has to be manually applied based on the release notes. Set this property tofalse
if the database must be not be set-up automatically. If not specified, the default value istrue
.connection-timeout
Defines the maximum time that nevisFIDO waits for the connection to receive a response from the Database. Default is 30 seconds.
max-connection-lifetime
Defines the maximum time that a database connection remains in the connection pool. Although having a high value improves the performance, it should be lower than the connection idle timeout of the database (parameter wait_timeout in MariaDB). If not specified, the default value is 30 minutes. If no time unit is provided, seconds will be used.
max-connection-idle-time
The maximum time (If no time unit is provided, seconds), that an idle connection is kept in the connection pool. (Only applicable if the min and max size of the connection pool is different). Default value is 10 seconds.
min-connection-pool-size
Defines the minimum number of connections to be idle in the connection pool. Default value is 10. For the best performance it is recommended to keep the min and the max value the same so there is no need to ramp up and down connections. Setting the minimum pool size does not affect the maximum pool size, when setting it to a higher value than the default adjust the maximum pool size as well.
max-connection-pool-size
Defines the maximum number of connections allowed in the connection pool. Default value is 10.
session-repository:
type: sql
jdbc-url: 'jdbc:mariadb://localhost:3306/db'
user: data-user
password: secret
schema-user: schema-user
schema-user-password: schema-secret
automatic-db-schema-setup: true
session-lifetime: 25m