Versions Compared

Old Version 4

changes.mady.by.user Karolin Hemmingsson

Saved on

compared with

New Version 5

changes.mady.by.user Karolin Hemmingsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Certificate-based authentication in PRIME Designer and PRIME Explorer is a two-step communication. Therefore, two HTTP(S) ports are used when calling the PRIME URL:

  • The first step is to download the client applet. PRIME is based on rich-client technology, which means that a signed applet will be downloaded when calling javaws. This download has nothing to do with the PRIME content and therefore it does not necessarily need an encrypted and authenticated connection.

  • The second step is to authenticate and communicate with the PRIME System. This connection needs to be the HTTPS connection with client authentication. See See Configure https for Tomcat. 

    Note
    It is also possible to use one connector with client authentication for both actions. But this means that you will need to enter your PIN several times because Java Web Start will open different sessions to the Tomcat.


Prerequisites

Expand
titlePrerequisites

A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

Step-by-step instruction

<bean id="clientCertificateInternalAuthenticationProvider" parent="clientCertificateAuthenticationProvider"> <property name="authProfileType" value="CLIENT_CERT_INTERNAL"/> <property name="subjectDnExtractorStrategy" ref="commonNameSubjectDNExtractorStrategy"/> </bean> <bean id="clientCertificateLdapAuthenticationProvider" parent="clientCertificateAuthenticationProvider"> <property name="authProfileType" value="CLIENT_CERT_LDAP"/> <property name="subjectDnExtractorStrategy" ref="commonNameSubjectDNExtractorStrategy"/> </bean> <bean id="configurableClientCertAuthenticationProvider" parent="clientCertificateAuthenticationProvider"> <property name="authProfileType" value="CLIENT_CERT_CORE_OBJECT"/> <property name="subjectDnExtractorStrategy" ref="emailSubjectDNExtractorStrategy"/> </bean> <!-- extract principal information from client x509 cert to authenticate user --> <bean id="commonNameSubjectDNExtractorStrategy" class="de.vps.act.frontend.authentication.principalextractor.strategy.ClientCertificateX509SubjectDNExtractorStrategy"> <property name="attributeRegEx" value="CN=(.*?),"/> </bean> <bean id="emailSubjectDNExtractorStrategy" class="de.vps.act.frontend.authentication.principalextractor.strategy.ClientCertificateX509SubjectDNExtractorStrategy"> <property name="attributeRegEx" value="EMAILADDRESS=(.*)"/> </bean>
Expand
titleSet up authentication profile

One The first step that is common for all types of certificate-based login in Nexus PRIME is to set up a corresponding an authentication profile in the PRIME Designer.For certificate-based login, there are three profile types that can be used:

  1. Follow the instructions in Set up authentication profile, to set up an authentication profile of any of the following types:
    • Client Certificate and LDAP
    • Client Certificate and Core Object
    • Client Certificate Internal - not recommended in a production environment

To set up an authentication profile:

  1. Log in to PRIME Designer as an administrator.
  2. Go to Home > Authentication Profiles.
  3. Click +New to add an authentication profile. Select a profile type, and click Save + Edit.
  4. Enter data in the fields, and click Save.
  5. For each type, a unique certificate attribute is defined that can be mapped to a user. If the mapping needs to be updated, configure the mapping in beans.xml:
    1. Open beans.xml. Edit the mapping:
      1. For Client certificate and LDAP, the common name, CN, must be unique. In the default setup, the LDAP CN attribute maps to the certificate CN attribute.
      2. For Client certificate and core object, the email address in the DN must be unique. In the profile settings of the core object authentication profile, define a Username field to contain the certificate attribute value.
      3. For Internal, the common name must be unique. In the default setup, the user name attribute maps to the certificate CN attribute.
    2. Save the file.
Code Block
languagetext
titleDefault setup: authentication profiles in beans.xml


To set Designer and PRIME Explorer:For each application PRIME Designer and PRIME Explorer, open the file start_clientcertauth_ssl.jsp in /webapps/prime_designer/ and /webapps/prime_explorer/, respectively. Update the http and https ports.
httpPort is the Tomcat Connector Port to the non-authenticated connection for downloading the PRIME client applet.
httpsPort is the connection with “clientAuth=true”.
Expand
titleSet up certificate-based login to PRIME Designer and PRIME Explorer
up certificate-based login to PRIME
Code Block
languagetext
titleExample: start_clientcertauth_ssl.jsp
/* Adjust the http port to the port this jsp is called with */
int httpPort = 18080;

/* Adjust the https port to the port you want to open the SSL Connection with */
int httpsPort = 18444;

For more information on how to log in using smart card, see Smartcard connection to PRIME.

Expand
titleSet up certificate-based login to PRIME User Self-Service Portal

The User Self-Service Portal (USSP) is an HTML5 application that runs in a web browser. Certificate-based login in USSP also relies on the Tomcat HTTPS functionality. Therefore, the client certificate must be accessible from the browser. For Internet Explorer the client certificate must be accessible via Windows Certificate Store, for other browsers, for example Firefox, a Pkcs#11 integration is necessary for smartcards.

For USSP, there are two Tomcat connectors via two different ports: one authenticated and one non-authenticated port.

To configure certificate-based login for USSP:

  1. Open the file config.xml on the USSP server.

  2. Activate the smart card login button on the USSP login page:

    Code Block
    languagetext
    titleExample: activate smart card login button
    <loginpage>
	<displayed-links>
		<link type="relative" protocol="https://" path="/ca" label-key="label_smartcard_login" />
	</displayed-links>
</loginpage>


  3. Set up the type of certificate authentication to be used, either clientcertldap, clientcertcoreobject, or clientcertinternal, and the Tomcat port to the HTTPS client certificate-authenticated connector:

    Code Block
    languagetext
    titleExample: set up certificate authentication type
    <service name="client-auth">
	<option name="https-client-auth-port" value="18444" />
	<option name="rest-server-client-auth-context" value="login/clientcertldap" />
</service>



Expand
titleSet up validation of certificate revocation lists

When a user logs in to PRIME with a certificate, the PRIME server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME server.

To configure the path to the truststore

  1. On the PRIME server, open the file system.properties.

  2. Modify the path to the truststore, if needed:

    Code Block
    languagetext
    titleExample: truststore path in system.properties
    jksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/ crlCaChain-truststore.jks"
jksKeyStoreProvider.keyStorePassword = "123456"


    For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.


Expand
titleAccess PRIME Designer, Explorer and USSP

To access the PRIME components, use the following links: 

Code Block
languagexml
titleURLs to PRIME Designer and PRIME Explorer
https://<PRIMEHOSTNAME>:8444/prime_explorer/
https://<PRIMEHOSTNAME>:8444/prime_designer/
https://<PRIMEHOSTNAME>:8444/ussp/



Related information