Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

SCEP NDES Setup

Owned by Josefin Klang (Deactivated)
Last updated: Jun 19, 2024
2 min read

SCEP NDES Configuration Overview

Configuration of SCEP NDES does not require many steps. Utilize the default SCEP NDES handlers that are delivered with the product. There are two handlers required for SCEP NDES to work. The challenge handler and the request handler. The default challenge handler is handler.3 and the default request handler is handler.4.

The dynamic password generated by sending an authorized request to the challenge url is globally available. As such there is only one challenge handler required, unless there is a requirement that each administrator has unique credentials.

For each NDES request token procedure you must create an always open wildcard registration using the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password. This wildcard registration is required to perform the initial match before the dynamic password is verified.

Configure SCEP NDES

Prerequisites

SCEP NDES utilizes the CF Production Order services to handle the dynamically created registrations. This requires that the parameter CardProductionManager.start is set to true in cm.conf.

Procedure policy objects

  1. Launch the Nexus Administrators Workbench client (AWB). 

  2. Create a new certificate procedure using the AWB. The certificate format must be scepndesdynamicenroll. 

  3. Create a new token procedure using the AWB. It should reference the created certificate procedure, have storage profile pkcs10 and the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password.

Wildcard order

  1. Launch the Nexus Registration Authority client (RA).

  2. Navigate to the order tab and select the token procedure created previously. Create a new registration with the following values:

    FQDN: *
    Validity time (days): always
    State: Open

Handler configuration in scep.properties

The remaining task is to configure the two handlers for SCEP NDES. The request handler must have the previously created token procedure as its configured handler.x.tokenprocedure. A list of all available parameters can be found in the next section. 

Parameters

NDES Challenge handler

NDES challenge filter. The request url to match this handler.

handler.3.filter = ndeschallenge/

NDES challenge format. Must be set to scep-ndes.

handler.3.format = scep-ndes

NDES admin username. Change the default admin username to your desired username.

handler.3.ndesUsername = ndesadmin

NDES admin password. Change the default admin password to your desired password. Remember to scramble the password.

NDES challenge validity. Defines the duration time of the validity of the dynamically created challenge password. Expects ISO-8601 duration format. Default validity is 15 minutes (PT15M).

NDES challenge encoding. Defines the encoding of the challenge webpage. Default is UTF-8 and is supported by the majority of users.

NDES Request handler

NDES request filter. The request url to match this handler.

NDES request format. Must be set to scep.

NDES request token procedure.

 





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions