- Created by Karolin Hemmingsson, last modified on Jul 04, 2018
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 4 Next »
Certificate-based authentication in PRIME Designer and PRIME Explorer is a two-step communication. Therefore, two HTTP(S) ports are used when calling the PRIME URL:
- The first step is to download the client applet. PRIME is based on rich-client technology, which means that a signed applet will be downloaded when calling javaws. This download has nothing to do with the PRIME content and therefore it does not necessarily need an encrypted and authenticated connection.
The second step is to authenticate and communicate with the PRIME System. This connection needs to be the HTTPS connection with client authentication. See Configure https for Tomcat.
It is also possible to use one connector with client authentication for both actions. But this means that you will need to enter your PIN several times because Java Web Start will open different sessions to the Tomcat.
Prerequisites
A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.
Step-by-step instruction
One step that is common for all types of certificate-based login in Nexus PRIME is to set up a corresponding authentication profile in the PRIME Designer.
For certificate-based login, there are three profile types that can be used:
- Client Certificate and LDAP
- Client Certificate and Core Object
- Internal - not recommended in a production environment
To set up an authentication profile:
- Log in to PRIME Designer as an administrator.
- Go to Home > Authentication Profiles.
- Click +New to add an authentication profile. Select a profile type, and click Save + Edit.
- Enter data in the fields, and click Save.
- For each type, a unique certificate attribute is defined that can be mapped to a user. If the mapping needs to be updated, configure the mapping in beans.xml:
- Open beans.xml. Edit the mapping:
- For Client certificate and LDAP, the common name,
CN
, must be unique. In the default setup, the LDAPCN
attribute maps to the certificateCN
attribute. - For Client certificate and core object, the email address in the
DN
must be unique. In the profile settings of the core object authentication profile, define aUsername
field to contain the certificate attribute value. - For Internal, the common name must be unique. In the default setup, the
user name
attribute maps to the certificateCN
attribute.
- For Client certificate and LDAP, the common name,
- Save the file.
Default setup: authentication profiles in beans.xml<bean id="clientCertificateInternalAuthenticationProvider" parent="clientCertificateAuthenticationProvider"> <property name="authProfileType" value="CLIENT_CERT_INTERNAL"/> <property name="subjectDnExtractorStrategy" ref="commonNameSubjectDNExtractorStrategy"/> </bean> <bean id="clientCertificateLdapAuthenticationProvider" parent="clientCertificateAuthenticationProvider"> <property name="authProfileType" value="CLIENT_CERT_LDAP"/> <property name="subjectDnExtractorStrategy" ref="commonNameSubjectDNExtractorStrategy"/> </bean> <bean id="configurableClientCertAuthenticationProvider" parent="clientCertificateAuthenticationProvider"> <property name="authProfileType" value="CLIENT_CERT_CORE_OBJECT"/> <property name="subjectDnExtractorStrategy" ref="emailSubjectDNExtractorStrategy"/> </bean> <!-- extract principal information from client x509 cert to authenticate user --> <bean id="commonNameSubjectDNExtractorStrategy" class="de.vps.act.frontend.authentication.principalextractor.strategy.ClientCertificateX509SubjectDNExtractorStrategy"> <property name="attributeRegEx" value="CN=(.*?),"/> </bean> <bean id="emailSubjectDNExtractorStrategy" class="de.vps.act.frontend.authentication.principalextractor.strategy.ClientCertificateX509SubjectDNExtractorStrategy"> <property name="attributeRegEx" value="EMAILADDRESS=(.*)"/> </bean>
- Open beans.xml. Edit the mapping:
To set up certificate-based login to PRIME Designer and PRIME Explorer:
For each application PRIME Designer and PRIME Explorer, open the file start_clientcertauth_ssl.jsp in /webapps/prime_designer/ and /webapps/prime_explorer/, respectively. Update the http and https ports.
httpPort
is the Tomcat Connector Port to the non-authenticated connection for downloading the PRIME client applet.httpsPort
is the connection with “clientAuth=true”.Example: start_clientcertauth_ssl.jsp/* Adjust the http port to the port this jsp is called with */ int httpPort = 18080; /* Adjust the https port to the port you want to open the SSL Connection with */ int httpsPort = 18444;
For more information on how to log in using smart card, see Smartcard connection to PRIME.
The User Self-Service Portal (USSP) is an HTML5 application that runs in a web browser. Certificate-based login in USSP also relies on the Tomcat HTTPS functionality. Therefore, the client certificate must be accessible from the browser. For Internet Explorer the client certificate must be accessible via Windows Certificate Store, for other browsers, for example Firefox, a Pkcs#11 integration is necessary for smartcards.
For USSP, there are two Tomcat connectors via two different ports: one authenticated and one non-authenticated port.
To configure certificate-based login for USSP:
- Open the file config.xml on the USSP server.
Activate the smart card login button on the USSP login page:
Example: activate smart card login button<loginpage> <displayed-links> <link type="relative" protocol="https://" path="/ca" label-key="label_smartcard_login" /> </displayed-links> </loginpage>
Set up the type of certificate authentication to be used, either
clientcertldap
,clientcertcoreobject
, orclientcertinternal
, and the Tomcat port to the HTTPS client certificate-authenticated connector:Example: set up certificate authentication type<service name="client-auth"> <option name="https-client-auth-port" value="18444" /> <option name="rest-server-client-auth-context" value="login/clientcertldap" /> </service>
When a user logs in to PRIME with a certificate, the PRIME server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME server.
To configure the path to the truststore
- On the PRIME server, open the file system.properties.
Modify the path to the truststore, if needed:
Example: truststore path in system.propertiesjksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/ crlCaChain-truststore.jks" jksKeyStoreProvider.keyStorePassword = "123456"
For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.
- No labels