Versions Compared

Old Version 1

changes.mady.by.user Karolin Hemmingsson (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Josefin Klang (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes how to ensure that card encoding works properly, when an authenticating reverse proxy, such as Smart ID Digital Access component

...

, is used in front of Smart ID Identity Manager

...

. Certain Identity Manager endpoints must be allowed, as is described below. 

Example setup

Expand
titleExamples with

...

Digital Access

...

In the following examples, it is assumed that you

...

access Identity Manager Operator via the following external URL of the reverse proxy:

Code Block
https://prime.with.hag/prime_explorer/


...which then connects to the

...

internal Identity Manager server:

Code Block
https://prime.internal:8443/prime_explorer/


Step-by-step instruction

Expand
titleAllow JPKIEncoder download endpoints

To enable Card SDK to download the JPKIEncoder, you must allow the download endpoints for JAR files:

  1. Enable everything in the /eclnt/lib/ folder to pass through without authentication. For example: 

    Code Block
    titleExample with

...

  1. Digital Access

...

  1. component as reverse proxy
    https://prime.with.hag/prime_explorer/eclnt/lib/* 
=>
https://prime.internal:8443/prime_explorer/eclnt/lib/*

    This covers the following parts: 
    /prime_explorer/eclnt/lib//filelist - list of JARs to download

    /prime_explorer/eclnt/lib//*.jar - the actual JAR files listed in filelist
Note

Make sure you use the correct syntax for your reverse proxy.



Expand
titleAllow CA connector endpoints

The CA connectors

...

of Identity Manager use a session ID cookie embedded in the cardjob to allow the JPKIEncoder to authenticate any CA requests it has to make. The reverse proxy's authentication layer must allow the CA connector cookies without authentication. Calls will still be authenticated,

...

via Identity Manager itself. 

  1. Enable everything in the /ws/ca_connectors/ folder to pass through without authentication. For example:  

    Code Block
    titleExample with Hybrid Access Gateway as reverse proxy
    https://prime.with.hag/prime_explorer/ws/ca_connectors/*
=>
https://prime.internal:8443/prime_explorer/ws/ca_connectors/*


Note

Make sure you use the correct syntax for your reverse proxy.

Make sure that cookies, at least JSESSIONID, are forwarded on these endpoints.