/
Configure Certificate Manager Web UI
Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Configure Certificate Manager Web UI

Owned by Ylva Andersson
Last updated: Dec 12, 2024Version comment
3 min read

All changes, including the sub-sections below, are configured in the cm-gateway/conf/auth.properties configuration file.

You must configure Protocol Gateway for external authentication against Hermod to use CM Web UI. 

Before you start, the following components must be installed/configured:

Configure Protocol Gateway for external authentication against Hermod

Set the start flag to "true" in cm-gateway/conf/auth.properties.

start = true

Configure the Hermod integration

  1. Follow the Hermod API integration instructions to set up an integration with Protocol Gateway and specify the callback URL to the Protocol Gateway server: https://<hostname>:<port>/pgwy/auth/. Hermod also requires that the server certificate for the Protocol Gateway on this hostname is trusted. For more information, see Add API user and callback URL in Hermod.

  2. Enter the API key from Hermod in the auth.properties file in Protocol Gateway and set the Hermod API URL.

This specifies where the Hermod API can be reached and depends on the installation.

default.authservice.apiurl = https://<hostname>:<port>/

  1. Set the Hermod API key. This key is produced when configuring Hermod for API integration. For more information, see Install Hermod.

default.authservice.apikey = <base64-encoded secret key>

Configure session sharing between multiple instances of Protocol Gateway

Protocol Gateway automatically detects other instances on the same network using multicast. The multicast group and/or port can be configured if needed and the automatic instance detection can be replaced by (or combined with) a static list of known instance addresses.

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

At its minimum, the session sharing mechanism will have to have SSL configured, to ensure secure communication.

Do the following:

  1. Set the connection SSL truststore. Do one of the following:

    • Configure the SSL connection with a 'keyfile' using a certificate and key in a PKCS#12 file. 

    • Configure the SSL connection with a subject and by connecting to a HSM with: default.cacheservice.ssl.certificate.subject 

      default.cacheservice.ssl.keyfile = vro.p12

  2. Set the SSL keyfile password.

    default.cacheservice.ssl.password = 1234

  3. Optional: Disable TCP multicast. This can be useful if using static member list. See default.cacheservice.members.

    default.cacheservice.multicast = false

  4. Optional: Configure TCP multicast port and group. This can be useful if there are several instances of Protocol Gateway on the same network.

    default.cacheservice.multicastgroup = 224.2.2.3 default.cacheservice.multicastport = 54327

  5. Optional: Configure a static list of PGW member nodes. This is an alternative to multicast node discovery when the address and port of the member nodes are known before hand.

    default.cacheservice.members = localhost:1234,localhost:4321

Alternative configuration: Disabled session sharing

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

  • Configure the cacheservice as a local cache and remove all other cacheservice related configurations.

    default.cacheservice.factory = com.nexussafe.cm.pgwy.auth.cache.local.LocalCacheServiceFactory

Alternative configuration: SSL with PKCS#11

You can configure the sharing of session data to be protected using a SSL encryption certificate in HSM via PKCS#11

  • Configure the cacheservice to fetch the SSL encryption certificate from the HSM.

    default.cacheservice.ssl.certificate.subject = Protocol Gateway VRO

  • Configure the cacheservice pin to access the token.

    default.cacheservice.ssl.password = 1234

  • Configure the cacheservice to specify which PKCS#11 library to use when searching for the SSL encryption certificate and key.

    default.cacheservice.ssl.pkcs11 = {ProgramFiles}/Personal/Bin/personal.[dll|so]

Configure download of Personal Desktop Client

To enable access to CM Web UI, the user must have Personal Desktop Client installed. As an administrator, you can configure CM Web UI to deliver the installation files for Personal Desktop Client to be downloaded on the sign in page. Do the following:

  1. Go to https://downloads.nexusgroup.com/ and download Personal Desktop Client.

  2. On the Tomcat instance that runs the web UI, navigate to: <tomcat-home>/webapps/webui/files

  3. In the directory, place the installation media for Personal Desktop Client using the following names:

    • Windows: windows.zip

    • Linux: ubuntu-20_22.zip

    • MacOS: macosx.zip

The user can now download Personal Desktop Client by clicking the hyperlink Download Personal Desktop Client on the sign in page.

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions