Versions Compared

Old Version 6

changes.mady.by.user Karolin Hemmingsson

Saved on

compared with

New Version 7

changes.mady.by.user Ann Base

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for 3.10

Certificate-based authentication in PRIME Designer and PRIME Explorer is a two-step communication. Therefore, two HTTP(S) ports are used when calling the PRIME URL:

  • The first step is to download the client applet. PRIME is based on rich-client technology, which means that a signed applet will be downloaded when calling javaws. This download has nothing to do with the PRIME content and therefore it does not necessarily need an encrypted and authenticated connection.

    • The second step is to authenticate and communicate with the PRIME System. This connection needs to be the HTTPS connection with client authentication. See Configure https for Tomcat

    Note
    It is also possible to use one connector with client authentication for both actions. But this means that you will need to enter your PIN several times because Java Web Start will open different sessions to the Tomcat.

    This article describes how to set up certificate-based login to Nexus PRIME.

    Prerequisites

    Expand
    titlePrerequisites

    A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

    Step-by-step instruction

    <service name="client-auth"> <option name="https-client-auth-port" value="18444" /> <option name="rest-server-client-auth-context" value="login/clientcertldap" /> </service>Select the certificate attribute the system shall extract the login information from.
    • User Principal Name (UPN): Extracts the information from the SANAttribute "otherName"
    • SAN Email (RFC822Name): Extracts the information from the SANAttribute "rfc822Name"
    • Subject CN: Extracts the information from the CN field
    • Subject Email: Extracts the information from the EMAILADDRESS field
    Expand
    titleSet up authentication profile

    The first step is to set up an authentication profile in the PRIME Designer:

    1. Follow the instructions in Set up authentication profile, to set up an authentication profile of any of the following types:
      • Client Certificate and LDAP
      • Client Certificate and Core Object
      • Client Certificate Internal - not recommended in a production environment
    Expand
    titleSet up certificate-based login to PRIME User Self-Service Portal

    The User Self-Service Portal (USSP) is an HTML5 application that runs in a web browser. Certificate-based login in USSP also relies on the Tomcat HTTPS functionality. Therefore, the client certificate must be accessible from the browser. For Internet Explorer the client certificate must be accessible via Windows Certificate Store, for other browsers, for example Firefox, a Pkcs#11 integration is necessary for smartcards.

    For USSP, there are two Tomcat connectors via two different ports: one authenticated and one non-authenticated port.

    To configure certificate-based login for USSP:

    1. Open the file config.xml on the USSP server.

    2. Activate the smart card login button on the USSP login page:

      Code Block
      languagetext
      titleExample: activate smart card login button
      <loginpage>
	<displayed-links>
		<link type="relative" protocol="https://" path="/ca" label-key="label_smartcard_login" />
	</displayed-links>
</loginpage>

      Set up the type of certificate authentication to be used, either clientcertldap, clientcertcoreobject, or clientcertinternal, and the Tomcat port to the HTTPS client certificate-authenticated connector:

    Code Block
    languagetext
    titleExample: set up certificate authentication type


    Expand
    titleSet up validation of certificate revocation lists

    When a user logs in to PRIME with a certificate, the PRIME server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME server.

    To configure the path to the truststore

    1. On the PRIME server, open the file system.properties.

    2. Modify the path to the truststore, if needed:

      Code Block
      languagetext
      titleExample: truststore path in system.properties
      jksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/ crlCaChain-truststore.jks"
jksKeyStoreProvider.keyStorePassword = "123456"


      For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.


    Expand
    titleAccess PRIME Designer, Explorer and USSPSelf-Service

    To access the PRIME components, use the following links: 

    Code Block
    languagexml
    titleURLs to PRIME Designer and PRIME Explorer
    https://<PRIMEHOSTNAME>:8444/prime_explorer/
https://<PRIMEHOSTNAME>:8444/prime_designer/
https://<PRIMEHOSTNAME>:8444/ussp/


    Info

    For PRIME Self-Service you need to click on the link "Client Certificate Login" on the login page.



    This article is valid from PRIME 3.910

    Related information