Skip to main content
Version: 7.2402.x.x RR

nevisProxy Configuration

This section guides you through the steps necessary to set up nevisProxy. Because these steps are different for each operation, the configuration is described on a per-operation basis and illustrated by code snippets.

info

You configure the registration and deregistration endpoints in the same way. To avoid duplication and for the sake of clarity, this chapter does not include the snippets for deregistration. Use the registration configuration snippets to configure the deregistration endpoints (and adapt the endpoints).

Configuration Snippets For UAF Registration

It is recommended only allowing authenticated users to perform registration. The following configuration snippet shows how to protect the nevisFIDO registration endpoint.

This is how it works. First the client application tries to perform a registration through the URL https://<hostname>/fidouaf/registration/. nevisProxy redirects the client to the FIDO_UAF_REGISTRATION realm/domain in nevisAuth, in order for the client to authenticate, for instance by providing an user ID and password. Redirecting and authenticating the client is achieved by defining an IdentityCreationFilter.

Once the client is successfully authenticated, nevisAuth generates a SecToken with information regarding the authenticated user. nevisAuth the sends the SecToken to nevisProxy, which must forward it to nevisFIDO. In order for nevisProxy to send the SecToken to nevisFIDO, configure a DelegationFilter.

<!-- Authentication filter for FIDO UAF Registration -->
<filter>
    <filter-name>FidoUafRegistrationFilter</filter-name>
    <filter-class>ch::nevis::isiweb4::filter::auth::IdentityCreationFilter</filter-class>
    <init-param>
        <param-name>AuthenticationServlet</param-name>
        <param-value>NevisAuthConnector</param-value>
        <description>The configured name of the authentication servlet</description>
    </init-param>
    <init-param>
        <param-name>LoginRendererServlet</param-name>
        <param-value>BuiltinLoginRenderer</param-value>
        <description>The configured name of the login renderer servlet</description>
    </init-param>
    <init-param>
        <param-name>Realm</param-name>
        <param-value>FIDO_UAF_REGISTRATION</param-value>
        <description>The realm of the registration</description>
    </init-param>
    <init-param>
        <param-name>InactiveInterval</param-name>
        <param-value>7200</param-value>
        <description>
            The maximum interval between two request associated to the same session
            (if deleted or 0, value is taken from nevisAuth 'Domain' element)
        </description>
    </init-param>
    <init-param>
        <param-name>EntryPointID</param-name>
        <param-value>localhost</param-value>
        <description>The entry point id (will be part of the sectoken)</description>
    </init-param>
    <init-param>
        <param-name>StoreInterceptedRequest</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>InterceptionRedirect</param-name>
        <param-value>never</param-value>
    </init-param>
</filter>

<!-- Delegation filter for nevisFIDO.  The role of this filter is to transmit the SecToken to nevisFIDO. -->
<filter>
    <filter-name>FidoUafRegistrationDelegationFilter</filter-name>
    <filter-class>::ch::nevis::isiweb4::filter::delegation::DelegationFilter</filter-class>
    <init-param>
        <param-name>DelegateBasicAuth</param-name>
        <!-- The value of the first element here is not relevant.  However the SecToken must
              be included as the second element.  nevisFIDO will ignore the value of
              the first parameter and will extract the username from the SecToken.  -->
        <param-value>
            AUTH:user.auth.UserId
            AUTH:user.auth.SecToken
        </param-value>
    </init-param>
</filter>

<!-- URL Mapping with the endpoint to be protected. -->
<filter-mapping>
    <filter-name>FidoUafRegistrationFilter</filter-name>
    <url-pattern>/fidouaf/registration/*</url-pattern>
</filter-mapping>

<!-- Mapping to use the delegation filter with the connector for registration. -->
<filter-mapping>
    <filter-name>FidoUafRegistrationDelegationFilter</filter-name>
    <servlet-name>FidoUafRegistrationConnector</servlet-name>
</filter-mapping>

<!-- nevisFIDO registration endpoint.  It is protected with an IdentityFilter. It describes the
     nevisFIDO server host, port and URL. -->
<servlet>
    <servlet-name>FidoUafRegistrationConnector</servlet-name>
    <servlet-class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>
    <init-param>
        <param-name>InetAddress</param-name>
        <param-value>localhost:9443</param-value>
    </init-param>
    <init-param>
        <param-name>MappingType</param-name>
        <param-value>pathinfo</param-value>
    </init-param>
    <init-param>
        <param-name>URIPrefix</param-name>
        <param-value>/nevisfido/uaf/1.1/request/registration</param-value>
    </init-param>
    <init-param>
        <param-name>AutoRewrite</param-name>
        <param-value>off</param-value>
    </init-param>
    <init-param>
        <param-name>Transport.SSLCACertificateFile</param-name>
        <param-value>/var/opt/neviscerts/X509-nevisfido-server.cer</param-value>
    </init-param>
</servlet>

<!-- The URL mapping for the nevisFIDO registration as application. -->
<servlet-mapping>
    <servlet-name>FidoUafRegistrationConnector</servlet-name>
    <url-pattern>/fidouaf/registration/*</url-pattern>
</servlet-mapping>

Configuration Snippets For UAF Authentication

The following snippet shows a sample nevisProxy configuration that allows you to protect an application through authentication.

This is how it works. The application is accessible through the URL https://<hostname>/exampleapplication/. The IdentityCreationFilter redirects non-authenticated clients that want to access the application to nevisAuth, to the realm/domain FIDO_UAF_AUTHENTICATION. Here, the clients have to authenticate using FIDO UAF.o tee nevisAuth Mobile Authentication Auth States for details on how to configure nevisAuth for authentication with FIDO UAF.

<!-- Authentication filter to protect the application. -->
<filter>
    <filter-name>AuthenticationFilter</filter-name>
    <filter-class>ch::nevis::isiweb4::filter::auth::IdentityCreationFilter</filter-class>
    <init-param>
        <param-name>AuthenticationServlet</param-name>
        <param-value>NevisAuthConnector</param-value>
        <description>The configured name of the authentication servlet</description>
    </init-param>
    <init-param>
        <param-name>LoginRendererServlet</param-name>
        <param-value>BuiltinLoginRenderer</param-value>
        <description>The configured name of the login renderer servlet</description>
    </init-param>
    <init-param>
        <param-name>Realm</param-name>
        <param-value>FIDO_UAF_AUTHENTICATION</param-value>
        <description>The realm of the authentication</description>
    </init-param>
    <init-param>
        <param-name>InactiveInterval</param-name>
        <param-value>7200</param-value>
        <description>
            The maximum interval between two request associated to the same session
            (if deleted or 0, value is taken from nevisAuth 'Domain' element)
        </description>
    </init-param>
    <init-param>
        <param-name>EntryPointID</param-name>
        <param-value>localhost</param-value>
        <description>The entry point id (will be part of the sectoken)</description>
    </init-param>
    <!-- The following is required, so that nevisAuth retrieves the body of the POST operations
         sent to nevisProxy. -->
    <init-param>
        <param-name>InterceptionRedirect</param-name>
        <param-value>never</param-value>
    </init-param>
</filter>

<!-- Configuration describing the nevisAuth instance to be used to perform the authentication. -->
<servlet>
    <servlet-name>NevisAuthConnector</servlet-name>
    <servlet-class>ch::nevis::isiweb4::servlet::connector::soap::esauth4::Esauth4ConnectorServlet</servlet-class>
    <init-param>
        <param-name>TargetURI</param-name>
        <param-value>/nevisauth/services/AuthenticationService</param-value>
    </init-param>
    <init-param>
        <param-name>Encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
        <param-name>Transport.InetAddress</param-name>
        <param-value>localhost:8991</param-value>
    </init-param>
    <init-param>
        <param-name>Transport.ConnectTimeout</param-name>
        <param-value>45000</param-value>
        <description>
            msec, nevisAuth startup in tomcat5 takes some time and
            listener is open too early
        </description>
    </init-param>
    <init-param>
        <param-name>Transport.RequestTimeout</param-name>
        <param-value>90000</param-value>
        <description>
            msec, 1/3 of this timeout is used to poll nevisAuth for
            terminated session.
        </description>
    </init-param>
    <init-param>
        <param-name>Transport.SSLClientCertificateFile</param-name>
        <param-value>/var/opt/keybox/default/node_keystore.pem</param-value>
    </init-param>
    <init-param>
        <param-name>Transport.SSLCACertificateFile</param-name>
        <param-value>/var/opt/keybox/default/truststore.pem</param-value>
    </init-param>
    <init-param>
        <param-name>Transport.SSLCheckPeerHostname</param-name>
        <param-value>false</param-value>
    </init-param>
</servlet>

<!-- URL Mapping for the application to be protected. -->
<filter-mapping>
    <filter-name>AuthenticationFilter</filter-name>
    <url-pattern>/exampleapplication/*</url-pattern>
</filter-mapping>