Versions Compared

Old Version 6

changes.mady.by.user Karolin Hemmingsson

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed expand boxes.

Certificate-based authentication in PRIME Designer and PRIME Explorer is a two-step communication. Therefore, two HTTP(S) ports are used when calling the PRIME URL:

...

The second step is to authenticate and communicate with the PRIME System. This connection needs to be the HTTPS connection with client authentication. See Configure https for Tomcat

Note
It is also possible to use one connector with client authentication for both actions. But this means that you will need to enter your PIN several times because Java Web Start will open different sessions to the Tomcat.

Prerequisites

...

titlePrerequisites
Note

Not yet supported for docker. The article is only relevant for WAR file deployment.

Info

This article is valid for Smart ID 20.11 and later.

This article describes how to set up certificate-based login to Smart ID Identity Manager.

Prerequisites

A working HTTPS configuration with client authentication on the Tomcat is required. See Configure

...

HTTPS for Tomcat.

Step-by-step instruction

...

Set up authentication profile

The first step is to set up an authentication profile in

...

Identity Manager Admin:

Set up the type of certificate authentication to be used, either clientcertldap, clientcertcoreobject, or clientcertinternal, and the Tomcat port to the HTTPS client certificate-authenticated connector:

Code Block
languagetext
titleExample: set up certificate authentication type
<service name="client-auth">
	<option name="https-client-auth-port" value="18444" />
	<option name="rest-server-client-auth-context" value="login/clientcertldap" />
</service>

...

  1. Follow the instructions in Set up authentication profile in Identity Manager, to set up an authentication profile of any of the following types:

    • Client Certificate and LDAP

    • Client Certificate and Core Object

    • Client Certificate Internal - not recommended in a production environment

...

titleSet up certificate-based login to PRIME User Self-Service Portal

The User Self-Service Portal (USSP) is an HTML5 application that runs in a web browser. Certificate-based login in USSP also relies on the Tomcat HTTPS functionality. Therefore, the client certificate must be accessible from the browser. For Internet Explorer the client certificate must be accessible via Windows Certificate Store, for other browsers, for example Firefox, a Pkcs#11 integration is necessary for smartcards.

For USSP, there are two Tomcat connectors via two different ports: one authenticated and one non-authenticated port.

To configure certificate-based login for USSP:

...

Activate the smart card login button on the USSP login page:

Code Block
languagetext
titleExample: activate smart card login button
<loginpage>
	<displayed-links>
		<link type="relative" protocol="https://" path="/ca" label-key="label_smartcard_login" />
	</displayed-links>
</loginpage>

  1. Select the certificate attribute the system shall extract the login information from.

    • User Principal Name (UPN): Extracts the information from the SANAttribute "otherName"

    • SAN Email (RFC822Name): Extracts the information from the SANAttribute "rfc822Name"

    • Subject CN: Extracts the information from the CN field

    • Subject Email: Extracts the information from the EMAILADDRESS field

Set up validation chain for user certificates

When a user logs in to

...

Identity Manager with a certificate, the

...

Identity Manager server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the

...

Identity Manager server.

To configure the path to the truststore

  1. On the

...

  1. Identity Manager server, open the file system.properties.

  2. Modify the path to the truststore, if needed:

    Code Block
    languagetext

...

  1. jksKeyStoreProvider.keyStorePath = "file:C:/

...

  1. idmCerts/

...

  1. crlCaChain-truststore.jks"
jksKeyStoreProvider.keyStorePassword = "123456"

    For more information on how to configure a truststore file with the java keytool, see Configure

...

  1. HTTPS for Tomcat.

...

Access Identity Manager clients

To access the

...

Identity Manager clients, use the following links: 

Code Block
languagexml

...

https://

...

<idmhost>:8444/prime_explorer/
https://

...

<idmhost>:8444/prime_designer/
https://

...

<idmhost>:8444/ussp/

This article is valid from PRIME 3.9

Related information

...

Info

For Smart ID Self-Service you need to click on the link "Client Certificate Login" on the login page.

Additional information

Expand
titleUseful links

...