nevisIDM Configuration
This section guides you through the steps necessary to make nevisIDM work with nevisFIDO.
You need to adjust the following nevisIDM configuration:
- Configure client TLS.
- Customize the nevisidm.properties of nevisIDM to configure client TLS.
Client TLS Configuration (Certificates)
Because nevisAuth uses client TLS to communicate with nevisIDM, you need to configure the required certificate data and the CertLoginModule of nevisIDM. See below how to proceed.
Ensure that the
nevisidm.rest-url
property in the nevisfido.yml refers to the nevisIDM administration context root. See also the nevisIDM reference guide, chapter "Integration > Configuring certificate login (2-way TLS) for accessing nevisIDM web services" The context root isnevisidm
(for instancehttps://<hostname>:8443/nevisidm
).Create the self-signed certificates and the keystores. All of the following commands create keystores protected with the password
password
.Client (nevisFIDO) certificate
keytool -genkeypair -keyalg RSA -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -keypass password -validity 360 -keysize 2048 -dname "cn=nevisfido,ou=auth,dc=nevis-security,dc=com" --noprompt
Server (nevisIDM) certificate (a PKCS12 keystore can be used in case of a nevisIDM standalone deployment)
keytool -genkeypair -keyalg RSA -alias nevisidm -keystore nevisidm-keystore.jks -storetype jks -storepass password -keypass password -validity 360 -keysize 2048 -dname "cn=siven.ch,ou=auth,dc=nevis-security,dc=com" --noprompt
The hostname is relevant: The hostname used in the certificate DN is the one used by the hostname verifiers when establishing the HTTPS connection.
Create the truststores. The easy way is to use the nevisFIDO keystore as the truststore for nevisIDM and vice versa. However, the clean/safe way is to define a truststore that only contains the public key. For this, use the following commands:
Truststore configuration (a PKCS12 keystore can be used with a nevisIDM standalone deployment)
keytool -export -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -rfc -file X509_nevisfido.cer
keytool -importcert -alias nevisfido -file X509_nevisfido.cer -keystore nevisidm-truststore.jks -storetype jks -storepass password --noprompt
keytool -export -alias nevisidm -keystore nevisidm-keystore.jks -storetype jks -storepass password -rfc -file X509_nevisidm.cer
keytool -importcert -alias nevisidm -file X509_nevisidm.cer -keystore nevisfido-truststore.p12 -storetype pkcs12 -storepass password --nopromptUpdate the nevisIDM configuration:
Update the file
/var/opt/nevisidm/nevisidm/conf/nevisidm-prod.properties
.Copy the previously created nevisIDM keystore and truststore to the nevisIDM machine. You will have to update the paths of the keystores and truststores referenced in the configuration (look for
nevisidm-keystore.p12
andnevisidm-truststore.p12
).For more information, refer to nevisIDM Standalone nevisidm-prop.properties.
Restart nevisIDM:
nevisidm restart
Add the public certificate of nevisFIDO to the
nevisfido
user in nevisIDM. Proceed as follows:Go to the nevisIDM administration UI. In the case of server
siven.ch
, the URL of the administration UI is:https://siven.ch/nevisidm/admin
.The initial credentials to log in to the nevisIDM admin UI are id=
bootstrap
/ password=generated
. You will be prompted to reset the password. By convention, reset it toGenerated1!
.In the nevisIDM administration UI, search for the user
nevisfido
.Add a credential of type "certificate" to the user
nevisfido
. Uncheck the Create ticket for upload checkbox. The certificate to be added is the public key of the nevisFIDO certificate. Print the public key on the shell and copy & paste it to the nevisIDM administration UI. To print the certificate, you can run one the following command:keytool -export -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -rfc
or
keytool -export -alias nevisfido -keystore nevisidm-truststore.jks -storetype jks -storepass password -rfc
Some notes to the last step:
The browser will complain about the presented certificate (which is self-signed). Accept the certificate anyway.
If you performed the above procedure on your pc before, there will already be a certificate in your browser. Remove this certificate from your browser. This is necessary to prevent you from being blocked by the browser: Because the previously generated certificate does not match the new certificate, the browser will not allow you to carry on with the connection.
nevisIDM nevisidm-prop.properties
You need to adjust the nevisidm-prop.properties file of nevisIDM. These are the key elements:
server.tls.require-client-auth=true
server.host=0.0.0.0
server.port=8443
server.tls.keystore=/var/opt/certs/nevisidm-keystore.p12
server.tls.keystore-passphrase=password
server.tls.truststore=/var/opt/certs/nevisidm-truststore.p12
server.tls.truststore-passphrase=password
Complete nevisidm-prop.properties Example
The following code sample shows a complete nevisidm-prop.properties configuration to be used with nevisIDM deployment:
# Server configuration
server.tls.enabled=true
server.tls.require-client-auth=true
server.host=0.0.0.0
server.port=8443
server.tls.keystore=/var/opt/certs/nevisidm-keystore.p12
server.tls.keystore-passphrase=password
server.tls.truststore=/var/opt/certs/nevisidm-truststore.p12
server.tls.truststore-passphrase=password
# DB connectivity
database.connection.url=jdbc:mysql://localhost:3306/nevisidm?autocommit=0
database.connection.username=UIDM02
database.connection.password=UIDM02
# Auditing
application.modules.auditing.provider=jsonAuditProvider
application.modules.auditing.file=${server.log.dir}/audit.json
# Folder to store pdf
application.modules.printing.dir.target=/var/tmp/nevisidm_pdfs
# mail server
application.mail.smtp.host=localhost
application.mail.smtp.port=25
[email protected]
# enables enterprise role feature
application.feature.enterpriserole.enabled=true
# enable application.feature.multiclientmode.enabled
application.feature.multiclientmode.enabled=true
# Experimental REST service
experimentalRest.enabled=true
# Ninja Truststore
server.auth.ninja.truststore=/var/opt/neviskeybox/default/nevis/truststore.jks
multiClientMode=true