A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

The first step is to set up an authentication profile in the PRIME DesignerIdentity Manager Admin:

1. Follow the instructions in Set up authentication profile in Identity Manager, to set up an authentication profile of any of the following types:
   
   • Client Certificate and LDAP
   • Client Certificate and Core Object
   • Client Certificate Internal - not recommended in a production environment
2. Select the certificate attribute the system shall extract the login information from.
   • User Principal Name (UPN): Extracts the information from the SANAttribute "otherName"
   • SAN Email (RFC822Name): Extracts the information from the SANAttribute "rfc822Name"
   • Subject CN: Extracts the information from the CN field
   • Subject Email: Extracts the information from the EMAILADDRESS field

When a user logs in to PRIME Identity Manager with a certificate, the PRIME Identity Manager server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME Identity Manager server.

To configure the path to the truststore

1. On the PRIME Identity Manager server, open the file system.properties.

2. Modify the path to the truststore, if needed:

   Code Block
   language text title Example: truststore path in system.properties
   jksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/crlCaChain-truststore.jks" jksKeyStoreProvider.keyStorePassword = "123456"

   
   For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.

To access the PRIME componentsIdentity Manager clients, use the following links: 

https://<PRIMEHOSTNAME>:8444/prime_explorer/
https://<PRIMEHOSTNAME>:8444/prime_designer/
https://<PRIMEHOSTNAME>:8444/ussp/