Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Integrate Identity Manager with QuoVadis connector

Owned by Ann Base (Deactivated)
Last updated: Jan 18, 2024 by Ylva AnderssonVersion comment
4 min read

This article is valid for Smart ID 21.04 and later.

 This article describes how to connect to the QuoVadis certificate authority from Smart ID Identity Manager. For the supported certificate authorities, see IDM 23.10.3 - Requirements and interoperability

The following files and details are required:

  • QuoVadis account name

  • Endpoint URL of the QuoVadis CA service

  • QuoVadis CA server certificate (Open the CA endpoint URL in the browser and export the certificate from there)

  • CA client PKCS#12 file + signing password

  • Policy template IDs used by your QuoVadis organisation(s)

If you want to use a HTTP proxy server such as Squid for the QuoVadis connector you need these as well:

  • hostname or IP of the proxy

  • port of the proxy

Proxy authentication is not yet supported.



If you plan to use certificate archival and recovery, the following is also required:

  • A configured Smart ID Certificate Manager (CM) and CM connector for key archival and recovery

  • Identity Manager CA config name (of the configured CM connector)

  • Name of CM recovery token procedure

  • The CM must have key archival token procedures with key generation matching the key type and size (for example, RSA 4096 bit) of the respective QuoVadis policy templates

  • The CM must have an import CA with configured P10 import token procedure for import of QuoVadis certificates, which is set in the CM connector config nexus_cm.properties file via caTokenProcedureImportCert=NameOfTheImportProcedure

  • This import CA must have a dummy self-signed key pair and have the same subject DN as the QuoVadis intermediate CA (for example, "CN=QuoVadis No Reliance ICA G3, O=QuoVadis Limited, C=BM)"

  • If there are multiple different issuers (different policy templates may user different issuers) you need the following per issuer:

    • an import CA configuration in CM

    • a CM connector configuration specifying the import token procedure

    • a QuoVadis connector configuration referencing the CM configuration as key archive

Finally, if you want the certificate chain to be returned with non-recovery requests, you need this:

  • QuoVadis CA certificate(s) (intermediate(s) and root), if you want the connector to return a full certificate chain (the QV SOAP API itself does not support this)

For recovery requests the certificate chain is configured in Nexus Certificate Manager, see Use Certificate Manager for key archival and recovery for external CA.

Step-by-step instruction

Make sure you have the following:

  • Account: the configured organization of your QuoVadis account you want to use, for example, "My Company"

  • Trust store path: truststore file or certificate file of your QuoVadis endpoint, for exampel: "quovadisglobalcom.crt"

  • p12 path: the client certificate which is used to authenticate your Identity Manager installation against QuoVadis, for example: QV_Webservices_MyCompany.p12 (the password has to be configured in the Designer CA configuration in the signing password field)

  • CA host, for example: https://tlclientdev.quovadisglobal.com/ws/CertificateServices.asmx

  • Certificate archival and recovery: configured CM connector for key archival and recovery (see prequisites above):

    • This is an example configuration:

    • Name of the CM connector config: for example, InternalCMConnector

    • Name of the CM recovery token procedure: for example, QuoVadisRecovery

    • Mapping of the QuoVadis template policy ID for encryption cert templates to the respective CM token procedure (for key archival), for example,:

      • 1769 => QvEncryption

      • 1753 => QvEncryption

      • 1811 => QvSmime

  • optional - for chain support in IDM 21.04 and later: the QuoVadis CA certificates in individual files (e.g. qvroot.crt, qvintermediate.crt)

  • optional - for proxy support in IDM 21.04 or later: the hostname/IP and port of the proxy

  1. Create a file called quovadis.properties with the following properties (here using the example values from above):

    Example

    account=My Company trustStorePath=quovadisglobalcom.crt p12Path=QV_Webservices_MyCompany.p12 keyArchive=InternalCMConnector policyTemplateIdToArchivalTemplateMapping=1769=QvEncryption;1753=QvEncryption;1811=QvSmime recoveryTemplate=QuoVadisRecovery # optional proxy config below proxyHost=proxy.mycompany.com proxyPort=3128



  2. Create a zip file containing the following files in its root folder:

    • the certificate configured with trustStorePath: for example, quovadisglobalcom.crt

    • the client certificate as configured with p12Path: for example, QV_Webservice_MyCompany.p12

    • quovadis.properties

    • optional - a folder called chainCerts containing the QuoVadis CA cerficiates (here: qvroot.crt, qvintermediate.crt)



To configure the QuoVadis connector into Identity Manager Admin:

  1. Log in to Identity Manager Admin.

  2. Go to Home > Certification Authorities (CA) and click New.

  3. Enter Name of the QuoVadis connector. Click Save+Edit.

  4. Select Connection type QuoVadis.

  5. Click Upload and upload the zip file created under "Preparations" above.

  6. Set the CA host URL, as mentioned under "Preparations" above.

  7. Set the Signing password to the password of the p12 file, configured with p12path.

  8. Click Save to save the configuration and go to the Details tab.

  9. Click Search on the right hand side. All QuoVadis CA certificate types are fetched and all configurable certificate types are shown. Click Apply.

  10. Click Testing. All connections should be green.

  11. Click Save.



Identity Manager certificate templates used with the QuoVadis connector must have certain additional attributes set:

Follow these instructions to add this values in a certificate configuration:

  1. In Identity Manager Admin, go to Home > Certificates.

  2. Scroll to the bottom of the attributes list on the right.

  3. Fill out three of the four QuoVadis attrributes as required (depending on the type: SSL or user cert):

For server SSL certs:

  • CERT_API_TYPE: "SSL"

  • ORGANISATION: QuoVadis organisation name - as configured in the QuoVadis administration account

  • SUBSCRIBER_EMAIL: QuoVadis subscriber email address - assigning the responsible person's email address for this SSL certificate, e.g. from a process variable

For user certs:

  • CERT_API_TYPE: "user"

  • ORGANISATION: QuoVadis organisation name - as configured in the QuoVadis administration account

  • ADMINISTRATOR_EMAIL: QuoVadis administrator email address - set here the email address of a valid QuoVadis administrator(from your QuoVadis account)



The following certificate states for revocation requests are supported:

Identity Manager cert status (case-insensitive)

Status type

RFC-5280 reason for QuoVadis API

Identity Manager cert status (case-insensitive)

Status type

RFC-5280 reason for QuoVadis API

inactive

Identity Manager only

keyCompromise *

locked

Identity Manager only

keyCompromise *

keyCompromise

RFC-5280

keyCompromise

affiliationChanged

RFC-5280

affiliationChanged

superseded

RFC-5280

superseded

cessationOfOperation

RFC-5280

cessationOfOperation

As QuoVadis does not support temporary revocation, there are no mappings for Identity Manager cert states active / valid and temporary.inactive.

Any status not listed here (case insensitively) will lead to an error.


*You can optionally configure a different, supported RFC-5280 revocation reason which inactive and locked shall be mapped to in system.properties, for example, like this:

Example
quoVadisServiceFactory.rfc5280ReasonForInactiveAndLocked=superseded





Additional information





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions