Page Comparison

Note
All changes, including the sub-sections below, are configured in the cm-gateway/conf/auth.properties configuration file.

...

Expand

title	Configure Protocol Gateway for external authentication against Hermod

Set the start flag to "true" in cm-gateway/conf/auth.properties.

Code Block
start = true

Expand

title	Configure the Hermod integration

Follow the Hermod API integration instructions to set up an integration with Protocol Gateway and specify the callback URL to the Protocol Gateway server: https://<hostname>:<port>/pgwy/auth/. Hermod also requires that the server certificate for the Protocol Gateway on this hostname is trusted. For more information, see Add API user and callback URL in Hermod.
Enter the API key from Hermod in the auth.properties file in Protocol Gateway and set the Hermod API URL.
Note
This specifies where the Hermod API can be reached and depends on the installation.
Code Block
default.authservice.apiurl = https://<hostname>:<port>/
Set the Hermod API key. This key is produced when configuring Hermod for API integration. For more information, see Install Hermod.
Code Block
default.authservice.apikey = <base64-encoded secret key>

...

Expand

title	Configure session sharing between multiple instances of Protocol Gateway

Protocol Gateway automatically detects other instances on the same network using multicast. The multicast group and/or port can be configured if needed and the automatic instance detection can be replaced by (or combined with) a static list of known instance addresses.

Note
You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

At its minimum, the session sharing mechanism will have to have SSL configured, to ensure secure communication.

Do the following:

Set the connection SSL truststore. Do one of the following:
- Configure the SSL connection with a 'keyfile' using a certificate and key in a PKCS#12 file.
- Configure the SSL connection with a subject and by connecting to a HSM with: default.cacheservice.ssl.certificate.subject
  Code Block
  default.cacheservice.ssl.keyfile = vro.p12

Set the SSL keyfile password.

Code Block
default.cacheservice.ssl.password = 1234

Optional: Disable TCP multicast. This can be useful if using static member list. See default.cacheservice.members.
Code Block
default.cacheservice.multicast = false
Optional: Configure TCP multicast port and group. This can be useful if there are several instances of Protocol Gateway on the same network.
Code Block
default.cacheservice.multicastgroup = 224.2.2.3 default.cacheservice.multicastport = 54327
Optional: Configure a static list of PGW member nodes. This is an alternative to multicast node discovery when the address and port of the member nodes are known before hand.
Code Block
default.cacheservice.members = localhost:1234,localhost:4321

Expand

title	Alternative configuration: Disabled session sharing

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

Configure the cacheservice as a local cache and remove all other cacheservice related configurations.
Code Block
default.cacheservice.factory = com.nexussafe.cm.pgwy.auth.cache.local.LocalCacheServiceFactory

...

Expand

title	Alternative configuration: SSL with PKCS#11

You can configure the sharing of session data to be protected using a SSL encryption certificate in HSM via PKCS#11

Configure the cacheservice to fetch the SSL encryption certificate from the HSM.
Code Block
default.cacheservice.ssl.certificate.subject = Protocol Gateway VRO
Configure the cacheservice pin to access the token.
Code Block
default.cacheservice.ssl.password = 1234
Configure the cacheservice to specify which PKCS#11 library to use when searching for the SSL encryption certificate and key.
Code Block
default.cacheservice.ssl.pkcs11 = {ProgramFiles}/Personal/Bin/personal.[dll|so]

...

Versions Compared

Old Version 2

New Version 3

Key