Certificate-based authentication in PRIME Designer and PRIME Explorer is a two-step communication. Therefore, two HTTP(S) ports are used when calling the PRIME URL:

The first step is to download the client applet. PRIME is based on rich-client technology, which means that a signed applet will be downloaded when calling javaws. This download has nothing to do with the PRIME content and therefore it does not necessarily need an encrypted and authenticated connection.
The second step is to authenticate and communicate with the PRIME System. This connection needs to be the HTTPS connection with client authentication. See Configure https for Tomcat.

It is also possible to use one connector with client authentication for both actions. But this means that you will need to enter your PIN several times because Java Web Start will open different sessions to the Tomcat.

Prerequisites

A working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.

Step-by-step instruction

Set up authentication profile

The first step is to set up an authentication profile in the PRIME Designer:

Follow the instructions in Set up authentication profile, to set up an authentication profile of any of the following types:
- Client Certificate and LDAP
- Client Certificate and Core Object
- Client Certificate Internal - not recommended in a production environment

Set up certificate-based login to PRIME User Self-Service Portal

The User Self-Service Portal (USSP) is an HTML5 application that runs in a web browser. Certificate-based login in USSP also relies on the Tomcat HTTPS functionality. Therefore, the client certificate must be accessible from the browser. For Internet Explorer the client certificate must be accessible via Windows Certificate Store, for other browsers, for example Firefox, a Pkcs#11 integration is necessary for smartcards.

For USSP, there are two Tomcat connectors via two different ports: one authenticated and one non-authenticated port.

To configure certificate-based login for USSP:

Open the file config.xml on the USSP server.

Activate the smart card login button on the USSP login page:

Example: activate smart card login button

<loginpage>
	<displayed-links>
		<link type="relative" protocol="https://" path="/ca" label-key="label_smartcard_login" />
	</displayed-links>
</loginpage>

Set up the type of certificate authentication to be used, either clientcertldap, clientcertcoreobject, or clientcertinternal, and the Tomcat port to the HTTPS client certificate-authenticated connector:
Example: set up certificate authentication type
```
<service name="client-auth">
	<option name="https-client-auth-port" value="18444" />
	<option name="rest-server-client-auth-context" value="login/clientcertldap" />
</service>
```

Set up validation of certificate revocation lists

When a user logs in to PRIME with a certificate, the PRIME server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the PRIME server.

To configure the path to the truststore

On the PRIME server, open the file system.properties.
Modify the path to the truststore, if needed:
Example: truststore path in system.properties
```
jksKeyStoreProvider.keyStorePath = "file:C:/primeCerts/ crlCaChain-truststore.jks"
jksKeyStoreProvider.keyStorePassword = "123456"
```
For more information on how to configure a truststore file with the java keytool, see Configure https for Tomcat.

Access PRIME Designer, Explorer and USSP

To access the PRIME components, use the following links:

URLs to PRIME Designer and PRIME Explorer

https://<PRIMEHOSTNAME>:8444/prime_explorer/
https://<PRIMEHOSTNAME>:8444/prime_designer/
https://<PRIMEHOSTNAME>:8444/ussp/

This article is valid from PRIME 3.9

Set up certificate-based login to Nexus PRIME

Prerequisites

Step-by-step instruction

Related information