nevisIDM Configuration
nevisIDM requires special configuration to be able to support dispatch targets. This section guides you through the steps necessary to make nevisIDM work with nevisFIDO.
You need to adjust the following nevisIDM configuration:
- Add custom properties to the nevisIDM database (only if the nevisIDM version is previous to 2.75.0).
- Configure client TLS.
- Customize the standalone.xml of nevisIDM to configure client TLS.
Custom Properties
If you are using db created by nevisIDM 2.75.0 or later, all the required schema definitions for the dispatch targets are provided out-of-the-box by nevisIDM, and you can skip this section.
nevisFIDO manages persisted dispatch targets by using nevisIDM custom credential objects. The following SQL script sets up the custom properties used by nevisFIDO:
-- Generic Credential policy is required to be able to create Generic Credentials.
INSERT INTO TIDMA_POLICY_CONFIGURATION
(POLICY_CONFIGURATION_ID, CTL_TCN, CTL_CRE_UID, CTL_CRE_DAT, CTL_MOD_UID, CTL_MOD_DAT, POLICY_TYPE, DESCRIPTION, NAME, EXTID, DEFAULT_POLICY, CLIENT_ID)
VALUES
(901, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'GenericCredentialPolicy', 'Default policy for generic credentials', 'Default Generic Credential Policy', '901', 1, 100);
commit;
-- Add Dispatcher target property definitions for Generic Credential type
-- Note: using bootstrap user, the fields will be editable on nevisIdm UI, because the root user has permission "PropertyAttributeAccessOverride"
INSERT INTO TIDMA_PROPERTY
(PROPERTY_ID, CTL_TCN, CTL_CRE_UID, CTL_CRE_DAT, CTL_MOD_UID, CTL_MOD_DAT, NAME, DESCRIPTION, TYPE, SCOPE, ENCRYPTED, PROPAGATED, MANDATORY_ON_GUI, STR_MAX_LEN, STR_REGEX, ACCESS_CREATE, ACCESS_MODIFY, UNIQUENESS_SCOPE, GUI_PRECEDENCE, DISPLAYNAME_DICT_ENTRY_ID, APPLICATION_ID, CLIENT_ID)
VALUES
(901, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_name', 'Human readable name of the device', 2, 21, 0, 0, 1, 1000, NULL, 'rw', 'rw', NULL, 0, NULL, NULL, NULL),
(902, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_app_id', 'The appId of the application where the device is registered', 2, 21, 0, 0, 1, 100, NULL,'rw', 'rw', NULL, 1, NULL, NULL, NULL),
(903, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_target', 'The target identifier of the channel', 2, 21, 0, 0, 1, 4096, NULL, 'rw', 'rw', NULL, 2, NULL, NULL, NULL),
(904, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_dispatcher', 'The name of the dispatcher', 2, 21, 0, 0, 1, 100, NULL, 'rw', 'rw', NULL, 3, NULL, NULL, NULL),
(905, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_encryption_key', 'Encryption key used for encrypting the channel data', 2, 21, 0, 0, 1, 10000, NULL, 'rw', 'rw', NULL, 4, NULL, NULL, NULL),
(906, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_signature_key', 'The signature key used for signing dispatch channel information', 2, 21, 0, 0, 1, 10000, NULL, 'rw', 'rw', NULL, 5, NULL, NULL, NULL),
(907, 0, 'Default/bootstrap', SYSDATE, 'Default/bootstrap', SYSDATE, 'fidouaf_device_id', 'The device identifier', 2, 21, 0, 0, 1, 10000, NULL, 'rw', 'rw', NULL, 6, NULL, NULL, NULL);
commit;
The script must be applied to the nevisIDM database:
mysql -u root --password="" nevisidm < nevisfido-customprops.sql
Client TLS Configuration (Certificates)
Because nevisAuth uses client TLS to communicate with nevisIDM, you need to configure the required certificate data and the CertLoginModule of nevisIDM. See below how to proceed.
Using the PKCS12 truststore for nevisIDM does not work together with WildFly as container. Therefore, it is suggested using JKS for both the nevisIDM key- and truststore. In nevisIDM standalone deployment, PKCS12 can be used with no limitations.
Ensure that the
nevisidm.administration-url
property in the nevisfido.yml refers to the nevisIDM administration context root. See also the nevisIDM reference guide, chapter "Integration > Configuring certificate login (2-way TLS) for accessing nevisIDM web services"- In case of a nevisIDM WildFly deployment, the context root is
nevisidmcc
(for instancehttps://<hostname>:8443/nevisidmcc/services/v1/AdminService
). - In case of a nevisIDM standalone deployment, the context root is
nevisidm
(for instancehttps://<hostname>:8443/nevisidm/services/v1/AdminService
).
- In case of a nevisIDM WildFly deployment, the context root is
Create the self-signed certificates and the keystores. All of the following commands create keystores protected with the password
password
.Client (nevisFIDO) certificate
keytool -genkeypair -keyalg RSA -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -keypass password -validity 360 -keysize 2048 -dname "cn=nevisfido,ou=auth,dc=nevis-security,dc=com" --noprompt
Server (nevisIDM) certificate (a PKCS12 keystore can be used in case of a nevisIDM standalone deployment)
keytool -genkeypair -keyalg RSA -alias nevisidm -keystore nevisidm-keystore.jks -storetype jks -storepass password -keypass password -validity 360 -keysize 2048 -dname "cn=siven.ch,ou=auth,dc=nevis-security,dc=com" --noprompt
The hostname is relevant: The hostname used in the certificate DN is the one used by the hostname verifiers when establishing the HTTPS connection.
Create the truststores. The easy way is to use the nevisFIDO keystore as the truststore for nevisIDM and vice versa. However, the clean/safe way is to define a truststore that only contains the public key. For this, use the following commands:
Truststore configuration (a PKCS12 keystore can be used with a nevisIDM standalone deployment)
keytool -export -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -rfc -file X509_nevisfido.cer
keytool -importcert -alias nevisfido -file X509_nevisfido.cer -keystore nevisidm-truststore.jks -storetype jks -storepass password --noprompt
keytool -export -alias nevisidm -keystore nevisidm-keystore.jks -storetype jks -storepass password -rfc -file X509_nevisidm.cer
keytool -importcert -alias nevisidm -file X509_nevisidm.cer -keystore nevisfido-truststore.p12 -storetype pkcs12 -storepass password --nopromptConfigure the nevisIDM Java Virtual Machine arguments (only in the context of a nevisIDM Wildfly deployment). Add the following elements to
/var/opt/nevisidm/nevisidm/conf/vmargs.conf
:Additional nevisIDM vmargs
-Dch.adnovum.nevisidm.web.servlets.ForwardServlet.Enabled=true
-Dch.adnovum.nevisidm.web.servlets.ForwardServlet.ForwardPath=/services/See also the nevisIDM reference guide, chapter "Integration > Configuring certificate login (2-way TLS) for accessing nevisIDM web services".
Do not add the Java Virtual Machine arguments above in case of a nevisIDM standalone deployment.
Update the nevisIDM configuration:
In case of nevisIDM WildFly deployment, update the file
/var/opt/adnwildfly/instances/nevisidm/standalone/configuration/standalone.xml
.Copy the previously created nevisIDM keystore and truststore to the nevisIDM machine. You will have to update the paths of the keystores and truststores referenced in the configuration (look for
nevisidm-keystore.jks
andnevisidm-truststore.jks
).For more information, refer to nevisIDM WildFly standalone.xml.
- In case of nevisIDM standalone deployment, update the
file
/var/opt/nevisidm/nevisidm/conf/nevisidm-prod.properties
.
Copy the previously created nevisIDM keystore and truststore to the nevisIDM machine. You will have to update the paths of the keystores and truststores referenced in the configuration (look for
nevisidm-keystore.p12
andnevisidm-truststore.p12
).For more information, refer to nevisIDM Standalone nevisidm-prop.properties.
- In case of nevisIDM standalone deployment, update the
file
- Restart nevisIDM:
nevisidm restart
Add the public certificate of nevisFIDO to the
nevisfido
user in nevisIDM. Proceed as follows:Go to the nevisIDM administration UI. In the case of server
siven.ch
, the URL of the administration UI is:https://siven.ch/nevisidm/admin
.The initial credentials to log in to the nevisIDM admin UI are id=
bootstrap
/ password=generated
. You will be prompted to reset the password. By convention, reset it toGenerated1!
.In the nevisIDM administration UI, search for the user
nevisfido
.Add a credential of type "certificate" to the user
nevisfido
. Uncheck the Create ticket for upload checkbox. The certificate to be added is the public key of the nevisFIDO certificate. Print the public key on the shell and copy & paste it to the nevisIDM administration UI. To print the certificate, you can run one the following command:keytool -export -alias nevisfido -keystore nevisfido-keystore.p12 -storetype pkcs12 -storepass password -rfc
or
keytool -export -alias nevisfido -keystore nevisidm-truststore.jks -storetype jks -storepass password -rfc
Some notes to the last step:
The browser will complain about the presented certificate (which is self-signed). Accept the certificate anyway.
If you performed the above procedure on your pc before, there will already be a certificate in your browser. Remove this certificate from your browser. This is necessary to prevent you from being blocked by the browser: Because the previously generated certificate does not match the new certificate, the browser will not allow you to carry on with the connection.
nevisIDM WildFly standalone.xml
In case of a nevisIDM WildFly deployment, you need to adjust the standalone.xml file of nevisIDM. Pay special attention to the following sections:
HTTPS Security Realm
Add the keystore and truststore configurations to the HttpsRealm security realm:
<security-realm name="HttpsRealm">
<server-identities>
<ssl>
<keystore path="/var/opt/certs/nevisidm-keystore.jks" keystore-password="password" provider="jks"/>
</ssl>
</server-identities>
<authentication>
<truststore path="/var/opt/certs/nevisidm-truststore.jks" keystore-password="password" provider="jks"/>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
Client Certificate Security Domain
Configure the NevisIDMClientCertDomain
security domain:
<security-domain name="NevisIDMClientCertDomain" cache-type="default">
<authentication>
<login-module code="ch.adnovum.nevisidm.jaas.CertLoginModule" flag="required"/>
</authentication>
...
</security-domain>
Server Configuration
Add an HTTPS listener to the configured security realm:
<server name="default-server">
...
<https-listener name="cc-ssl" socket-binding="https" security-realm="HttpsRealm" verify-client="required"/>
...
</server>
Interface Configuration
Adjust the interface configuration:
<interfaces>
<interface name="management">
<inet-address value="0.0.0.0"/>
</interface>
<interface name="public">
<inet-address value="0.0.0.0"/>
</interface>
</interfaces>
Socket Binding Configuration
Update the socket binding configuration:
<socket-binding-group name="standard-sockets" default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
....
<socket-binding name="https" port="8443" fixed-port="true"/>
</socket-binding-group>
Deployment Configuration
Add the required deployment configuration:
<deployments>
<deployment name="nevisidm-application-2.64.1.0-mysql.wildfly10.ear" runtime-name="nevisidm-application-2.64.1.0-mysql.wildfly10.ear">
<content sha1="cfccdfe81db5928424d02a71367c5456c2ccbf81"/>
</deployment>
</deployments>
Complete standalone.xml Example
The following code sample shows a complete standalone.xml configuration to be used with nevisIDM WildFly deployment:
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:4.2">
<extensions>
<extension module="org.jboss.as.connector"/>
<extension module="org.jboss.as.deployment-scanner"/>
<extension module="org.jboss.as.ee"/>
<extension module="org.jboss.as.jmx"/>
<extension module="org.jboss.as.logging"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.mail"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.webservices"/>
<extension module="org.wildfly.extension.io"/>
<extension module="org.wildfly.extension.undertow"/>
<extension module="org.wildfly.extension.messaging-activemq"/>
<extension module="org.wildfly.extension.bean-validation"/>
</extensions>
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="HttpsRealm">
<server-identities>
<ssl>
<keystore path="/var/opt/certs/nevisidm-keystore.jks" keystore-password="password"
provider="jks"/>
</ssl>
</server-identities>
<authentication>
<truststore path="/var/opt/certs/nevisidm-truststore.jks" keystore-password="password"
provider="jks"/>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
</formatters>
<handlers>
<file-handler name="file" formatter="json-formatter" path="audit-log.log"
relative-to="jboss.server.data.dir"/>
</handlers>
<logger log-boot="true" log-read-only="false" enabled="false">
<handlers>
<handler name="file"/>
</handlers>
</logger>
</audit-log>
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="simple">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:3.0">
<add-logging-api-dependencies value="false"/>
<console-handler name="CONSOLE">
<level name="INFO"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<named-formatter name="PATTERN"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="io.undertow">
<level name="WARN"/>
</logger>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="org.apache.tomcat.util.modeler">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="INFO"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<logger category="ch.nevis.idm">
<level name="INFO"/>
</logger>
<logger category="ch.adnovum.nevisidm">
<level name="ERROR"/>
</logger>
<logger category="ch.nevis.ninja">
<level name="INFO"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
<formatter name="PATTERN">
<pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
<formatter name="COLOR-PATTERN">
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"
runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:4.0">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<concurrent>
<context-services>
<context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default"
use-transaction-setup-provider="true"/>
</context-services>
<managed-executor-services>
<managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default"
context-service="default" hung-task-threshold="60000" core-threads="5"
max-threads="25" keepalive-time="5000"/>
</managed-executor-services>
<managed-scheduled-executor-services>
<managed-scheduled-executor-service name="default"
jndi-name="java:jboss/ee/concurrency/scheduler/default"
context-service="default" hung-task-threshold="60000"
core-threads="2" keepalive-time="3000"/>
</managed-scheduled-executor-services>
</concurrent>
</subsystem>
<subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:io:1.1">
<worker name="default"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jca:4.0">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:mail:2.0"/>
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0">
<server name="default">
<security-setting name="#">
<role name="consumer" consume="true"/>
<role name="producer" send="true"/>
</security-setting>
<address-setting name="#" dead-letter-address="jms.queue.DLQ" expiry-address="jms.queue.ExpiryQueue"
max-size-bytes="10485760" page-size-bytes="2097152"
message-counter-history-day-limit="10"/>
<remote-connector name="netty" socket-binding="msg"/>
<in-vm-connector name="in-vm" server-id="0"/>
<remote-acceptor name="netty" socket-binding="msg"/>
<in-vm-acceptor name="in-vm" server-id="0"/>
<jms-queue name="ExpiryQueue" entries="java:/jms/queue/ExpiryQueue"/>
<jms-queue name="DLQ" entries="java:/jms/queue/DLQ"/>
<jms-queue name="Provisioning"
entries="java:/jms/queue/Provisioning java:/jboss/exported/jms/queue/Provisioning"/>
<connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory" connectors="in-vm"/>
</server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:3.0"/>
<subsystem xmlns="urn:jboss:domain:resource-adapters:4.0"/>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="NevisSecTokenDomain" cache-type="default">
<authentication>
<login-module code="ch.nevis.ninja.jboss.auth.NinjaJbossLoginModuleImpl" flag="sufficient"
module="ch.nevis.ninja">
<module-option name="NevisSignerCertificate"
value="/var/opt/neviskeybox/default/nevis/truststore.jks"/>
<module-option name="UserGetter" value="AttributeUserGetter(source=loginId)"/>
<module-option name="AdjustIdentity" value="true"/>
<module-option name="LogDebug" value="false"/>
<module-option name="RoleGetters"
value="ch.nevis.ninja.commons.mapping.StaticRoleGetter, ch.nevis.ninja.commons.mapping.TokenRoleGetter"/>
</login-module>
<login-module code="ch.adnovum.nevisidm.jaas.BasicAuthLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="NevisIDMClientCertDomain" cache-type="default">
<authentication>
<login-module code="ch.adnovum.nevisidm.jaas.CertLoginModule" flag="required">
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:3.0">
<core-environment>
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:3.1">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="http"/>
<https-listener name="cc-ssl" socket-binding="https" security-realm="HttpsRealm"
verify-client="required"/>
<host name="default-host" alias="localhost"/>
</server>
<servlet-container name="default">
<jsp-config/>
</servlet-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:webservices:2.0">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>${jboss.bind.address:localhost}</wsdl-host>
<wsdl-port>${jboss.management.http.port:1}</wsdl-port>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers"
protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="0.0.0.0"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:1}"/>
<socket-binding name="http" port="8989" fixed-port="true"/>
<socket-binding name="txn-recovery-environment" port="2"/>
<socket-binding name="txn-status-manager" port="3"/>
<socket-binding name="msg" port="4"/>
<socket-binding name="https" port="8443" fixed-port="true"/>
</socket-binding-group>
<deployments>
<deployment name="nevisidm-application-2.64.1.0-mysql.wildfly10.ear"
runtime-name="nevisidm-application-2.64.1.0-mysql.wildfly10.ear">
<content sha1="cfccdfe81db5928424d02a71367c5456c2ccbf81"/>
</deployment>
</deployments>
</server>
nevisIDM Standalone nevisidm-prop.properties
In case of a nevisIDM standalone deployment, you need to adjust the nevisidm-prop.properties file of nevisIDM. These are the key elements:
server.tls.require-client-auth=true
server.host=0.0.0.0
server.port=8443
server.tls.keystore=/var/opt/certs/nevisidm-keystore.p12
server.tls.keystore-passphrase=password
server.tls.truststore=/var/opt/certs/nevisidm-truststore.p12
server.tls.truststore-passphrase=password
Complete nevisidm-prop.properties Example
The following code sample shows a complete nevisidm-prop.properties configuration to be used with nevisIDM standalone deployment:
# Server configuration
server.tls.enabled=true
server.tls.require-client-auth=true
server.host=0.0.0.0
server.port=8443
server.tls.keystore=/var/opt/certs/nevisidm-keystore.p12
server.tls.keystore-passphrase=password
server.tls.truststore=/var/opt/certs/nevisidm-truststore.p12
server.tls.truststore-passphrase=password
# DB connectivity
database.connection.url=jdbc:mysql://localhost:3306/nevisidm?autocommit=0
database.connection.username=UIDM02
database.connection.password=UIDM02
# Auditing
application.modules.auditing.provider=jsonAuditProvider
application.modules.auditing.file=${server.log.dir}/audit.json
# Folder to store pdf
application.modules.printing.dir.target=/var/tmp/nevisidm_pdfs
# mail server
application.mail.smtp.host=localhost
application.mail.smtp.port=25
[email protected]
# enables enterprise role feature
application.feature.enterpriserole.enabled=true
# enable application.feature.multiclientmode.enabled
application.feature.multiclientmode.enabled=true
# Experimental REST service
experimentalRest.enabled=true
# Ninja Truststore
server.auth.ninja.truststore=/var/opt/neviskeybox/default/nevis/truststore.jks
multiClientMode=true