Skip to main content
Version: 8.2505.x.x RR

nevisIDM Configuration

This section guides you through the steps necessary to make nevisIDM work with nevisFIDO.

You need to adjust the following nevisIDM configuration:

  1. Configure client TLS.
  2. Customize the nevisidm.properties of nevisIDM to configure client TLS.

Client TLS Configuration (Certificates)

Because nevisAuth uses client TLS to communicate with nevisIDM, you need to configure the required certificate data and the CertLoginModule of nevisIDM. See below how to proceed.

  1. Ensure that the nevisidm.rest-url property in the nevisfido.yml refers to the nevisIDM administration context root. See also the nevisIDM reference guide, chapter "Integration > Configuring certificate login (2-way TLS) for accessing nevisIDM web services" The context root is nevisidm (for instance https://<hostname>:8443/nevisidm).

  2. Create the self-signed certificates and the keystores. All of the following commands create keystores protected with the password password.

    Client (nevisFIDO) certificate

    keytool -genkeypair -keyalg RSA -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -keypass password -validity 360 -keysize 2048 -dname "cn=nevisfido,ou=auth,dc=nevis-security,dc=com" --noprompt

    Server (nevisIDM) certificate (a PKCS12 keystore can be used in case of a nevisIDM standalone deployment)

    keytool -genkeypair -keyalg RSA -alias nevisidm -keystore nevisidm-keystore.jks -storetype jks -storepass password -keypass password -validity 360 -keysize 2048 -dname "cn=siven.ch,ou=auth,dc=nevis-security,dc=com" --noprompt

    The hostname is relevant: The hostname used in the certificate DN is the one used by the hostname verifiers when establishing the HTTPS connection.

  3. Create the truststores. The easy way is to use the nevisFIDO keystore as the truststore for nevisIDM and vice versa. However, the clean/safe way is to define a truststore that only contains the public key. For this, use the following commands:

    Truststore configuration (a PKCS12 keystore can be used with a nevisIDM standalone deployment)

    keytool -export -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -rfc -file X509_nevisfido.cer

    keytool -importcert -alias nevisfido -file X509_nevisfido.cer -keystore nevisidm-truststore.jks -storetype jks -storepass password --noprompt

    keytool -export -alias nevisidm -keystore nevisidm-keystore.jks -storetype jks -storepass password -rfc -file X509_nevisidm.cer

    keytool -importcert -alias nevisidm -file X509_nevisidm.cer -keystore nevisfido-truststore.p12 -storetype pkcs12 -storepass password --noprompt

  4. Update the nevisIDM configuration:

    Update the file /var/opt/nevisidm/nevisidm/conf/nevisidm-prod.properties.

    Copy the previously created nevisIDM keystore and truststore to the nevisIDM machine. You will have to update the paths of the keystores and truststores referenced in the configuration (look for nevisidm-keystore.p12 and nevisidm-truststore.p12).

    For more information, refer to nevisIDM Standalone nevisidm-prop.properties.

  5. Restart nevisIDM:

nevisidm restart

  1. Add the public certificate of nevisFIDO to the nevisfido user in nevisIDM. Proceed as follows:

    1. Go to the nevisIDM administration UI. In the case of server siven.ch, the URL of the administration UI is: https://siven.ch/nevisidm/admin.

    2. The initial credentials to log in to the nevisIDM admin UI are id=bootstrap / password=generated. You will be prompted to reset the password. By convention, reset it to Generated1!.

    3. In the nevisIDM administration UI, search for the user nevisfido.

    4. Add a credential of type "certificate" to the user nevisfido. Uncheck the Create ticket for upload checkbox. The certificate to be added is the public key of the nevisFIDO certificate. Print the public key on the shell and copy & paste it to the nevisIDM administration UI. To print the certificate, you can run one the following command:

      keytool -export -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -rfc

    or

    keytool -export -alias nevisfido -keystore nevisidm-truststore.jks -storetype jks -storepass password -rfc

    Some notes to the last step:

    • The browser will complain about the presented certificate (which is self-signed). Accept the certificate anyway.

    • If you performed the above procedure on your pc before, there will already be a certificate in your browser. Remove this certificate from your browser. This is necessary to prevent you from being blocked by the browser: Because the previously generated certificate does not match the new certificate, the browser will not allow you to carry on with the connection.

nevisIDM nevisidm-prop.properties

You need to adjust the nevisidm-prop.properties file of nevisIDM. These are the key elements:

server.tls.require-client-auth=true
server.host=0.0.0.0
server.port=8443
server.tls.keystore=/var/opt/certs/nevisidm-keystore.p12
server.tls.keystore-passphrase=password
server.tls.truststore=/var/opt/certs/nevisidm-truststore.p12
server.tls.truststore-passphrase=password

Complete nevisidm-prop.properties Example

The following code sample shows a complete nevisidm-prop.properties configuration to be used with nevisIDM deployment:

# Server configuration
server.tls.enabled=true
server.tls.require-client-auth=true
server.host=0.0.0.0
server.port=8443
server.tls.keystore=/var/opt/certs/nevisidm-keystore.p12
server.tls.keystore-passphrase=password
server.tls.truststore=/var/opt/certs/nevisidm-truststore.p12
server.tls.truststore-passphrase=password

# DB connectivity
database.connection.url=jdbc:mysql://localhost:3306/nevisidm?autocommit=0
database.connection.username=UIDM02
database.connection.password=UIDM02

# Auditing
application.modules.auditing.provider=jsonAuditProvider
application.modules.auditing.file=${server.log.dir}/audit.json

# Folder to store pdf
application.modules.printing.dir.target=/var/tmp/nevisidm_pdfs

# mail server
application.mail.smtp.host=localhost
application.mail.smtp.port=25
[email protected]

# enables enterprise role feature
application.feature.enterpriserole.enabled=true

# enable application.feature.multiclientmode.enabled
application.feature.multiclientmode.enabled=true

# Experimental REST service
experimentalRest.enabled=true

# Ninja Truststore
server.auth.ninja.truststore=/var/opt/neviskeybox/default/nevis/truststore.jks
multiClientMode=true