Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: New/updates links added in the intro section.
Note

All changes, including the sub-sections below, are configured in the cm-gateway/conf/auth.properties configuration file.

You must configure Protocol Gateway for external authentication against Hermod to use CM Web UI. 

Before you start, the following components must be installed/configured:

...

...

Configure Protocol Gateway for external authentication against Hermod

Set the start flag to "true" in cm-gateway/conf/auth.properties.

Code Block
start = true
Expand
title

Configure the Hermod integration

  1. Follow the Hermod API integration instructions to set up an integration with Protocol Gateway and specify the callback URL to the Protocol Gateway server: https://<hostname>:<port>/pgwy/auth/. Hermod also requires that the server certificate for the Protocol Gateway on this hostname is trusted. For more information, see Add API user and callback URL in Hermod.

  2. Enter the API key from Hermod in the auth.properties file in Protocol Gateway and set the Hermod API URL.

Note

This specifies where the Hermod API can be reached and depends on the installation.

Code Block
default.authservice.apiurl = https://<hostname>:<port>/
  1. Set the Hermod API key. This key is produced when configuring Hermod for API integration. For more information, see Install Hermod.

title
Code Block
default.authservice.apikey = <base64-encoded secret key>
Expand

Configure session sharing between multiple instances of Protocol Gateway

Protocol Gateway automatically detects other instances on the same network using multicast. The multicast group and/or port can be configured if needed and the automatic instance detection can be replaced by (or combined with) a static list of known instance addresses.

Note

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

At its minimum, the session sharing mechanism will have to have SSL configured, to ensure secure communication.

Do the following:

  1. Set the connection SSL truststore. Do one of the following:

    • Configure the SSL connection with a 'keyfile' using a certificate and key in a PKCS#12 file. 

    • Configure the SSL connection with a subject and by connecting to a HSM with: default.cacheservice.ssl.certificate.subject 

      Code Block
      default.cacheservice.ssl.keyfile = vro.p12
  2. Set the SSL keyfile password.

    Code Block
    default.cacheservice.ssl.password = 1234
  3. Optional: Disable TCP multicast. This can be useful if using static member list. See default.cacheservice.members.

    Code Block
    default.cacheservice.multicast = false

...

  1. Optional: Configure TCP multicast port and group. This can be useful if there are several instances of Protocol Gateway on the same network.

    Code Block
    default.cacheservice.multicastgroup = 224.2.2.3
    default.cacheservice.multicastport = 54327

 

  1. Optional: Configure a static list of PGW member nodes. This is an alternative to multicast node discovery when the address and port of the member nodes are known before hand.

    Code Block
    default.cacheservice.members = localhost:1234,localhost:4321

...

 

...

Alternative configuration: Disabled session sharing

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

  • Configure the cacheservice as a local cache and remove all other cacheservice related configurations.

    Code Block
    default.cacheservice.factory = com.nexussafe.cm.pgwy.auth.cache.local.LocalCacheServiceFactory

...

...

Alternative configuration: SSL with PKCS#11

You can configure the sharing of session data to be protected using a SSL encryption certificate in HSM via PKCS#11

  • Configure the cacheservice to fetch the SSL encryption certificate from the HSM.

    Code Block
    default.cacheservice.ssl.certificate.subject = Protocol Gateway VRO
  • Configure the cacheservice pin to access the token.

    Code Block
    default.cacheservice.ssl.password = 1234
  • Configure the cacheservice to specify which PKCS#11 library to use when searching for the SSL encryption certificate and key.

    Code Block
    default.cacheservice.ssl.pkcs11 = {ProgramFiles}/Personal/Bin/personal.[dll|so]

...

Configure download of Personal Desktop Client

To enable access to CM Web UI, the user must have Personal Desktop Client installed. As an administrator, you can configure CM Web UI to deliver the installation files for Personal Desktop Client to be downloaded on the sign in page. Do the following:

  1. Go to https://downloads.nexusgroup.com/ and download Personal Desktop Client.

  2. On the Tomcat instance that runs the web UI, navigate to: <tomcat-home>/webapps/webui/files

  3. In the directory, place the installation media for Personal Desktop Client using the following names:

    • Windows: windows.zip

    • Linux: ubuntu-20_22.zip

    • MacOS: macosx.zip

The user can now download Personal Desktop Client by clicking the hyperlink Download Personal Desktop Client on the sign in page.

...