In the following examples, it is assumed that you access PRIME Explorer access Identity Manager Operator via the following external URL of the reverse proxy:

https://prime.with.hag/prime_explorer/

...which then connects to the internal Prime internal Identity Manager server:

https://prime.internal:8443/prime_explorer/

To enable Card SDK to download the JPKIEncoder, you must allow the download endpoints for JAR files:

1. Enable everything in the /eclnt/lib/ folder to pass through without authentication. For example: 

   Code Block
   title Example with Hybrid Digital Access Gateway component as reverse proxy
   https://prime.with.hag/prime_explorer/eclnt/lib/*  => https://prime.internal:8443/prime_explorer/eclnt/lib/*

   This covers the following parts: 
   /prime_explorer/eclnt/lib//filelist - list of JARs to download

   /prime_explorer/eclnt/lib//*.jar - the actual JAR files listed in filelist

The CA connectors of PRIME of Identity Manager use a session ID cookie embedded in the cardjob to allow the JPKIEncoder to authenticate any CA requests it has to make. The reverse proxy's authentication layer must allow the CA connector cookies without authentication. Calls will still be authenticated, via PRIME via Identity Manager itself. 

1. Enable everything in the /ws/ca_connectors/ folder to pass through without authentication. For example:  

   Code Block
   title Example with Hybrid Access Gateway as reverse proxy
   https://prime.with.hag/prime_explorer/ws/ca_connectors/* => https://prime.internal:8443/prime_explorer/ws/ca_connectors/*