The following prerequisites apply: 

• Identity Manager is installed, see Deploy Smart ID (for legacy systems, see Install Identity Manager).
• Smart ID Messaging (Hermod) is installed locally or running as a service. See Deploy Smart ID.
• Server certificates to Identity Manager and Hermod must be available, to set up an https connection. 

Do settings in Smart ID Messaging to connect to Identity Manager over https.

See the instructions here: Integrate Smart ID Messaging with other Smart ID components.

1. Log in to Identity Manager Admin.

To set up the connection to Smart ID Messaging in Identity Manager:

1. In Identity Manager Admin, go to Home > Messaging Server.

2. To add a new messaging server:

   1. Click +New. Enter a Name and a Description.

   2. Click Save+Edit. 
      The Messaging Server panel is shown.

   3. In URL, enter the URL of the messaging server ending with command. The example assumes it is deployed as the web app Hermod. 

      1. Set the scheme to HTTPS and the port to the port number used by Hermod for callbacks. See Add API user and callback URL in Hermod

         Example: URL to Hermod web app

         https://<my-hermod-server>:<port>/hermod/rest/command

   4. In Authentication token, enter base64(clientId:key) with the values for clientId and key that were used in the new client. 

      Example: Authentication token

      cHJpbWUxOjA3OWI2YTY0ZDc1YjRlOTU4NWJkMGMyNGYzNmE3ZGViYTBhZDAzNDk4ZWNmNGQ2OWI1NzY2ZjI0ZmEwMmUwNDU=

   5. In Lifespan, enter the desired lifespan in seconds of a command to Smart ID Messaging.
      After this time, the command is removed from history and the provisioning will fail. 
   6. In Timeout, enter the desired timeout in seconds of a command to Smart ID Messaging. The timeout must be shorter than the lifespan.
      After this time, the command is removed from the message box, but kept for polling until the lifespan is reached.
3. To edit an existing identity template, double-click on its name.
   

To create a dedicated user for Messaging Server:

1. In Identity Manager Admin, go to Home > User Administration.
2. Click +New. Enter a Username and a Password.
3. Click Save.

Add this user's username and password in the configuration file when adding an API user in the Messaging Server component Hermod, see here: Add API user and callback URL in Hermod.

The Smart ID clients Mobile and Desktop clients refuse HTTP connections. Therefore, Smart ID Messaging must be set up to listen on an HTTPS port. It is recommended to also run Identity Manager over HTTPS, even if callbacks from Smart ID Messaging to Identity Manager are also allowed over HTTP. The following instruction assumes that both Smart ID Messaging and Identity Manager run in Tomcat.

To set up HTTPS connections for Identity Manager and Smart ID Messaging: 

1. Set up HTTPS ports in the file server.xml in the respective Tomcat installation. 
2. Make sure that the following URLs have the HTTPS scheme and ports for HTTPS, as described above:
   1. In Smart ID Messaging:
      
      1. callbackUrl: Identity Manager callback base URL for Smart ID Messaging.
      2. publicUrl: Smart ID Messaging MS endpoint
   2. In Identity Manager: 
      1. URL: Smart ID Messaging command URL for Identity Manager.
3. Configure cacerts with the new CA certificate:
   1. Copy the file jre\lib\security\cacerts of the JVM and store it somewhere, for example in C:\the\modified\cacerts. 
   2. Import the new CA certificate in the new cacerts file. 

   3. Set the cacerts as JVM arguments of each Tomcat, for example, by setting the CATALINA_OPTS environment variable:
      

      Example: JVM arguments in CATALINA_OPTS

      -Djavax.net.ssl.trustStore="C:\the\modified\cacerts" -Djavax.net.ssl.trustStorePassword="changeit"