The following prerequisites apply: 

• PRIME Identity Manager is installed, see Install Identity Manager.
• Personal Smart ID Messaging (Hermod) is installed locally or running as a service, see Install Hermod.
• Server certificates to PRIME Identity Manager and Hermod must be available, to set up an https connection. 

Do settings in Personal Smart ID Messaging to connect to PRIME Identity Manager over https: 

1. To set up PRIME Identity Manager as a client, add PRIME Identity Manager as an API user and select a callback URL, according to Add API user and callback URL in Hermod. Do the following settings:

   1. In callbackUrl, enter the Hermod callback endpoint of PRIME Explorer, Identity Manager with the https scheme and corresponding https port. 

   2. If PRIME Identity Manager shall share users with another system, for example Smart ID Digital Access component (Hybrid Access Gateway), make sure that they have the same group in the Personal Smart ID Messaging setup.
      

      Code Block
      title Example: Set up PRIME as client in Personal Messaging
      allowedClients:           - clientId: prime-server1        key: 59c2a0a1999d42dbbe7f16ef1072736a031c5f4739c04025a641ae1751849857        group: acme        callbackUrl: https://${hostname}:${port}/prime_explorer/ws/hermod        callbackBasicAuth: admin:admin

      
      

2. In publicUrl: enter the Personal Smart ID Messaging service endpoint, with the https scheme and corresponding https port:

   Code Block
   title Example: publicUrl
   https://hermod-server-url:28443/hermod/rest/ms

   
   

1. Log in to Identity Manager Admin.

To set up the connection to Personal Smart ID Messaging in PRIMEIdentity Manager:

1. In PRIME Identity Manager Designer, go to Home > Messaging Server.

2. To add a new messaging server:

   1. Click +New. Enter a Name and a Description.

   2. Click Save+Edit. 
      The Messaging Server panel is shown.

   3. In URL, enter the URL of the messaging server ending with command. The example assumes it is deployed as the web app Hermod. 

      1. Set the scheme to HTTPS and the port to the port number used by Hermod for callbacks. See Add API user and callback URL in Hermod

         Code Block
         title Example: URL to Hermod web app
         https://<my-hermod-server>:<port>/hermod/rest/command

         
         

   4. In Authentication token, enter base64(clientId:key) with the values for clientId and key that were used in the new client. 

      Code Block
      title Example: Authentication token
      cHJpbWUxOjA3OWI2YTY0ZDc1YjRlOTU4NWJkMGMyNGYzNmE3ZGViYTBhZDAzNDk4ZWNmNGQ2OWI1NzY2ZjI0ZmEwMmUwNDU=

      
      

   5. In Lifespan, enter the desired lifespan in seconds of a command to Personal Smart ID Messaging.
      After this time, the command is removed from history and the provisioning will fail. 
   6. In Timeout, enter the desired timeout in seconds of a command to Personal Smart ID Messaging. The timeout must be shorter than the lifespan.
      After this time, the command is removed from the message box, but kept for polling until the lifespan is reached.
3. To edit an existing identity template, double-click on its name.
   

The Smart ID clients (Personal) Mobile and Desktop clients refuse HTTP connections. Therefore, Personal Smart ID Messaging must be set up to listen on an HTTPS port. It is recommended to also run PRIME Identity Manager over HTTPS, even if callbacks from Personal Smart ID Messaging to PRIME Identity Manager are also allowed over HTTP. The following instruction assumes that both Personal Smart ID Messaging and PRIME Identity Manager run in Tomcat.

To set up HTTPS connections for PRIME Identity Manager and Personal Smart ID Messaging: 

1. Set up HTTPS ports in the file server.xml in the respective Tomcat installation. 
2. Make sure that the following URLs have the HTTPS scheme and ports for HTTPS, as described above:
   1. In Personal Smart ID Messaging:
      
      1. callbackUrl: PRIME Identity Manager callback base URL for Personal Smart ID Messaging.
      2. publicUrl: Personal  Smart ID Messaging MS endpoint
   2. In PRIMEIdentity Manager: 
      1. URL: Personal  Smart ID Messaging command URL for PRIMEIdentity Manager.
3. Configure cacerts with the new CA certificate:
   1. Copy the file jre\lib\security\cacerts of the JVM and store it somewhere, for example in C:\the\modified\cacerts. 
   2. Import the new CA certificate in the new cacerts file. 

   3. Set the cacerts as JVM arguments of each Tomcat, for example, by setting the CATALINA_OPTS environment variable:
      

      Code Block
      title Example: JVM arguments in CATALINA_OPTS
      -Djavax.net.ssl.trustStore="C:\the\modified\cacerts" -Djavax.net.ssl.trustStorePassword="changeit"