Versions Compared

Old Version 5

changes.mady.by.user Karolin Hemmingsson

Saved on

compared with

New Version 6

changes.mady.by.user Karolin Hemmingsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Previous version updated for PRIME 3.9

Certificate-based authentication in PRIME Designer and PRIME Explorer is a two-step communication. Therefore, two HTTP(S) ports are used when calling the PRIME URL:

  • The first step is to download the client applet. PRIME is based on rich-client technology, which means that a signed applet will be downloaded when calling javaws. This download has nothing to do with the PRIME content and therefore it does not necessarily need an encrypted and authenticated connection.

  • The second step is to authenticate and communicate with the PRIME System. This connection needs to be the HTTPS connection with client authentication. See Configure https for Tomcat

    Note
    It is also possible to use one connector with client authentication for both actions. But this means that you will need to enter your PIN several times because Java Web Start will open different sessions to the Tomcat.


Prerequisites

Expand
titlePrerequisites

A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

Step-by-step instruction

Expand
titleSet up authentication profile

The first step is to set up an authentication profile in the PRIME Designer:

  1. Follow the instructions in Set up authentication profile, to set up an authentication profile of any of the following types:
    • Client Certificate and LDAP
    • Client Certificate and Core Object
    • Client Certificate Internal - not recommended in a production environment


Expand
titleSet up certificate-based login to PRIME User Self-Service Portal

The User Self-Service Portal (USSP) is an HTML5 application that runs in a web browser. Certificate-based login in USSP also relies on the Tomcat HTTPS functionality. Therefore, the client certificate must be accessible from the browser. For Internet Explorer the client certificate must be accessible via Windows Certificate Store, for other browsers, for example Firefox, a Pkcs#11 integration is necessary for smartcards.

For USSP, there are two Tomcat connectors via two different ports: one authenticated and one non-authenticated port.

To configure certificate-based login for USSP:

  1. Open the file config.xml on the USSP server.

  2. Activate the smart card login button on the USSP login page:

    Code Block
    languagetext
    titleExample: activate smart card login button
    <loginpage>
	<displayed-links>
		<link type="relative" protocol="https://" path="/ca" label-key="label_smartcard_login" />
	</displayed-links>
</loginpage>


  3. Set up the type of certificate authentication to be used, either clientcertldap, clientcertcoreobject, or clientcertinternal, and the Tomcat port to the HTTPS client certificate-authenticated connector:

    Code Block
    languagetext
    titleExample: set up certificate authentication type
    <service name="client-auth">
	<option name="https-client-auth-port" value="18444" />
	<option name="rest-server-client-auth-context" value="login/clientcertldap" />
</service>



Expand
titleSet up validation of certificate revocation lists

When a user logs in to PRIME with a certificate, the PRIME server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME server.

To configure the path to the truststore

  1. On the PRIME server, open the file system.properties.

  2. Modify the path to the truststore, if needed:

    Code Block
    languagetext
    titleExample: truststore path in system.properties
    jksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/ crlCaChain-truststore.jks"
jksKeyStoreProvider.keyStorePassword = "123456"


    For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.


Expand
titleAccess PRIME Designer, Explorer and USSP

To access the PRIME components, use the following links: 

Code Block
languagexml
titleURLs to PRIME Designer and PRIME Explorer
https://<PRIMEHOSTNAME>:8444/prime_explorer/
https://<PRIMEHOSTNAME>:8444/prime_designer/
https://<PRIMEHOSTNAME>:8444/ussp/



This article is valid from PRIME 3.9

Related information