You must configure Protocol Gateway for external authentication against Hermod to use CM Web UI.
Before you start, the following components must be installed:
Configure Protocol Gateway for external authentication against Hermod
Set the start flag to "true" in cm-gateway/conf/auth.properties.
Configure the Hermod integration
- Follow the Hermod API integration instructions to set up an integration with Protocol Gateway and specify the callback URL to the Protocol Gateway server: https://<hostname>:<port>/pgwy/auth/. Hermod also requires that the server certificate for the Protocol Gateway on this hostname is trusted. For more information, see Add API user and callback URL in Hermod.
Enter the API key from Hermod in the auth.properties file in Protocol Gateway and set the Hermod API URL.
default.authservice.apiurl = https://<hostname>:<port>/
Set the Hermod API key. This key is produced when configuring Hermod for API integration. For more information, see Install Hermod.
default.authservice.apikey = <base64-encoded secret key>
Configure session sharing between multiple instances of Protocol Gateway
Protocol Gateway automatically detects other instances on the same network using multicast. The multicast group and/or port can be configured if needed and the automatic instance detection can be replaced by (or combined with) a static list of known instance addresses.
At its minimum, the session sharing mechanism will have to have SSL configured, to ensure secure communication.
Do the following:
Set the connection SSL truststore. Do one of the following:
Configure the SSL connection with a 'keyfile' using a certificate and key in a PKCS#12 file.
Configure the SSL connection with a subject and by connecting to a HSM with: default.cacheservice.ssl.certificate.subject
default.cacheservice.ssl.keyfile = vro.p12
Set the SSL keyfile password.
default.cacheservice.ssl.password = 1234
Optional: Disable TCP multicast. This can be useful if using static member list. See default.cacheservice.members.
default.cacheservice.multicast = false
Optional: Configure TCP multicast port and group. This can be useful if there are several instances of Protocol Gateway on the same network.
default.cacheservice.multicastgroup = 224.2.2.3
default.cacheservice.multicastport = 54327
Optional: Configure a static list of PGW member nodes. This is an alternative to multicast node discovery when the address and port of the member nodes are known before hand.
default.cacheservice.members = localhost:1234,localhost:4321
Alternative configuration: Disabled session sharing
You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.
Alternative configuration: SSL with PKCS#11
You can configure the sharing of session data to be protected using a SSL encryption certificate in HSM via PKCS#11
Configure the cacheservice to fetch the SSL encryption certificate from the HSM.
default.cacheservice.ssl.certificate.subject = Protocol Gateway VRO
Configure the cacheservice pin to access the token.
default.cacheservice.ssl.password = 1234
Configure the cacheservice to specify which PKCS#11 library to use when searching for the SSL encryption certificate and key.
default.cacheservice.ssl.pkcs11 = {ProgramFiles}/Personal/Bin/personal.[dll|so]
Configure download of Personal Desktop Client
To enable access to CM Web UI, the user must have Personal Desktop Client installed. As an administrator, you can configure CM Web UI to deliver the installation files for Personal Desktop Client to be downloaded on the sign in page. Do the following:
- Go to https://downloads.nexusgroup.com/ and download Personal Desktop Client.
- On the Tomcat instance that runs the web UI, navigate to: <tomcat-home>/webapps/webui/files
- In the directory, place the installation media for Personal Desktop Client using the following names:
- Windows: windows.zip
- Linux: ubuntu-20_22.zip
- MacOS: macosx.zip
The user can now download Personal Desktop Client by clicking the hyperlink Download Personal Desktop Client on the sign in page.
