Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article describes how to ensure that card encoding works properly, when an authenticating reverse proxy, such as Smart ID Digital Access component (Hybrid Access Gateway), is used in front of Smart ID Identity Manager (PRIME). Certain PRIME endpoints must be allowed, as is described below. 


Example setup

 Examples with Hybrid Access Gateway

In the following examples, it is assumed that you access PRIME Explorer via the following external URL of the reverse proxy:

https://prime.with.hag/prime_explorer/


...which then connects to the internal Prime server:

https://prime.internal:8443/prime_explorer/

Step-by-step instruction

 Allow JPKIEncoder download endpoints

To enable Card SDK to download the JPKIEncoder, you must allow the download endpoints for JAR files:

  1. Enable everything in the /eclnt/lib/ folder to pass through without authentication. For example: 

    Example with Hybrid Access Gateway as reverse proxy
    https://prime.with.hag/prime_explorer/eclnt/lib/* 
=>
https://prime.internal:8443/prime_explorer/eclnt/lib/*

    This covers the following parts: 
    /prime_explorer/eclnt/lib//filelist - list of JARs to download

    /prime_explorer/eclnt/lib//*.jar - the actual JAR files listed in filelist

Make sure you use the correct syntax for your reverse proxy.

 Allow CA connector endpoints

The CA connectors of PRIME use a session ID cookie embedded in the cardjob to allow the JPKIEncoder to authenticate any CA requests it has to make. The reverse proxy's authentication layer must allow the CA connector cookies without authentication. Calls will still be authenticated, via PRIME itself. 

  1. Enable everything in the /ws/ca_connectors/ folder to pass through without authentication. For example:  

    Example with Hybrid Access Gateway as reverse proxy
    https://prime.with.hag/prime_explorer/ws/ca_connectors/*
=>
https://prime.internal:8443/prime_explorer/ws/ca_connectors/*

Make sure you use the correct syntax for your reverse proxy.

Make sure that cookies, at least JSESSIONID, are forwarded on these endpoints.


  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions