Integrate Identity Manager with QuoVadis connector
- Ann Base (Deactivated)
- Ylva Andersson
- Josefin Klang (Deactivated)
- Karolin Hemmingsson (Unlicensed)
This article is valid for Smart ID 21.04 and later.
This article describes how to connect to the QuoVadis certificate authority from Smart ID Identity Manager. For the supported certificate authorities, see IDM 23.10.3 - Requirements and interoperability.
The following files and details are required:
QuoVadis account name
Endpoint URL of the QuoVadis CA service
QuoVadis CA server certificate (Open the CA endpoint URL in the browser and export the certificate from there)
CA client PKCS#12 file + signing password
Policy template IDs used by your QuoVadis organisation(s)
If you want to use a HTTP proxy server such as Squid for the QuoVadis connector you need these as well:
hostname or IP of the proxy
port of the proxy
Proxy authentication is not yet supported.
If you plan to use certificate archival and recovery, the following is also required:
A configured Smart ID Certificate Manager (CM) and CM connector for key archival and recovery
Identity Manager CA config name (of the configured CM connector)
Name of CM recovery token procedure
The CM must have key archival token procedures with key generation matching the key type and size (for example, RSA 4096 bit) of the respective QuoVadis policy templates
The CM must have an import CA with configured P10 import token procedure for import of QuoVadis certificates, which is set in the CM connector config nexus_cm.properties file via
caTokenProcedureImportCert=NameOfTheImportProcedure
This import CA must have a dummy self-signed key pair and have the same subject DN as the QuoVadis intermediate CA (for example, "
CN=QuoVadis No Reliance ICA G3
,O=QuoVadis Limited
,C=BM
)"If there are multiple different issuers (different policy templates may user different issuers) you need the following per issuer:
an import CA configuration in CM
a CM connector configuration specifying the import token procedure
a QuoVadis connector configuration referencing the CM configuration as key archive
Finally, if you want the certificate chain to be returned with non-recovery requests, you need this:
QuoVadis CA certificate(s) (intermediate(s) and root), if you want the connector to return a full certificate chain (the QV SOAP API itself does not support this)
For recovery requests the certificate chain is configured in Nexus Certificate Manager, see Use Certificate Manager for key archival and recovery for external CA.
Step-by-step instruction
Make sure you have the following:
Account: the configured organization of your QuoVadis account you want to use, for example, "My Company"
Trust store path: truststore file or certificate file of your QuoVadis endpoint, for exampel: "quovadisglobalcom.crt"
p12 path: the client certificate which is used to authenticate your Identity Manager installation against QuoVadis, for example: QV_Webservices_MyCompany.p12 (the password has to be configured in the Designer CA configuration in the signing password field)
CA host, for example: https://tlclientdev.quovadisglobal.com/ws/CertificateServices.asmx
Certificate archival and recovery: configured CM connector for key archival and recovery (see prequisites above):
This is an example configuration:
Name of the CM connector config: for example, InternalCMConnector
Name of the CM recovery token procedure: for example, QuoVadisRecovery
Mapping of the QuoVadis template policy ID for encryption cert templates to the respective CM token procedure (for key archival), for example,:
1769 => QvEncryption
1753 => QvEncryption
1811 => QvSmime
optional - for chain support in IDM 21.04 and later: the QuoVadis CA certificates in individual files (e.g. qvroot.crt, qvintermediate.crt)
optional - for proxy support in IDM 21.04 or later: the hostname/IP and port of the proxy
Create a file called quovadis.properties with the following properties (here using the example values from above):
Example
account=My Company trustStorePath=quovadisglobalcom.crt p12Path=QV_Webservices_MyCompany.p12 keyArchive=InternalCMConnector policyTemplateIdToArchivalTemplateMapping=1769=QvEncryption;1753=QvEncryption;1811=QvSmime recoveryTemplate=QuoVadisRecovery # optional proxy config below proxyHost=proxy.mycompany.com proxyPort=3128
Create a zip file containing the following files in its root folder:
the certificate configured with trustStorePath: for example, quovadisglobalcom.crt
the client certificate as configured with p12Path: for example, QV_Webservice_MyCompany.p12
quovadis.properties
optional - a folder called chainCerts containing the QuoVadis CA cerficiates (here: qvroot.crt, qvintermediate.crt)
To configure the QuoVadis connector into Identity Manager Admin:
Log in to Identity Manager Admin.
Go to Home > Certification Authorities (CA) and click New.
Enter Name of the QuoVadis connector. Click Save+Edit.
Select Connection type QuoVadis.
Click Upload and upload the zip file created under "Preparations" above.
Set the CA host URL, as mentioned under "Preparations" above.
Set the Signing password to the password of the p12 file, configured with p12path.
Click Save to save the configuration and go to the Details tab.
Click Search on the right hand side. All QuoVadis CA certificate types are fetched and all configurable certificate types are shown. Click Apply.
Click Testing. All connections should be green.
Click Save.
Identity Manager certificate templates used with the QuoVadis connector must have certain additional attributes set:
Follow these instructions to add this values in a certificate configuration:
In Identity Manager Admin, go to Home > Certificates.
Scroll to the bottom of the attributes list on the right.
Fill out three of the four QuoVadis attrributes as required (depending on the type: SSL or user cert):
For server SSL certs:
CERT_API_TYPE: "SSL"
ORGANISATION: QuoVadis organisation name - as configured in the QuoVadis administration account
SUBSCRIBER_EMAIL: QuoVadis subscriber email address - assigning the responsible person's email address for this SSL certificate, e.g. from a process variable
For user certs:
CERT_API_TYPE: "user"
ORGANISATION: QuoVadis organisation name - as configured in the QuoVadis administration account
ADMINISTRATOR_EMAIL: QuoVadis administrator email address - set here the email address of a valid QuoVadis administrator(from your QuoVadis account)
The following certificate states for revocation requests are supported:
Identity Manager cert status (case-insensitive) | Status type | RFC-5280 reason for QuoVadis API |
---|
Identity Manager cert status (case-insensitive) | Status type | RFC-5280 reason for QuoVadis API |
---|---|---|
inactive | Identity Manager only | keyCompromise * |
locked | Identity Manager only | keyCompromise * |
keyCompromise | keyCompromise | |
affiliationChanged | affiliationChanged | |
superseded | superseded | |
cessationOfOperation | cessationOfOperation |
As QuoVadis does not support temporary revocation, there are no mappings for Identity Manager cert states active / valid and temporary.inactive.
Any status not listed here (case insensitively) will lead to an error.
*You can optionally configure a different, supported RFC-5280 revocation reason which inactive and locked shall be mapped to in system.properties, for example, like this:
Example
quoVadisServiceFactory.rfc5280ReasonForInactiveAndLocked=superseded
Additional information
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions