API Integration Guide SmartSignatur SSES Server

API Integration Guide SmartSignatur SSES Server

v1.0

 

Overview and architecture

 

This document describes the SOAP API in the SmartSignatur Enrollment Service (SSES).

The overall architecture of SSES consists of the following components:

  • Public SOAP endpoint for User management.

  • Private SOAP endpoint for Certificate management; should only be used by SmartSignatur Clients.

  • Micro Focus eDirectory for User Store and optional SecretStore for Softkey Certificate Store.

  • Optional Micro Focus IDM for integration; leverages the Public SOAP endpoint for User management.

 

Liga Software provides a set of sample Micro Focus IDM Drivers for integration with SSES. The drivers are provided as-is and must be customized according to the customer environment.

 

SOAP Services 

API Key and API App

All access to SSES SOAP Services is controlled by an API Key and API Application. The API Key and API Application are configured in the SSES administration portal.

For security reasons please add a separate API Key and API Application for each service/host that leverages the SSES SOAP API.

If an invalid APIKey or APIApplication is specified, the returned result will be:

 

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <SOAP-ENV:Fault>

         <faultcode>SOAP-ENV:Server</faultcode>

         <faultstring xml:lang="en">APIKey is invalid</faultstring>

      </SOAP-ENV:Fault>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

General Status Codes

 

All SOAP results include a status code and if status code is different from “Success”, a StatusMessage will be included.

StatusCode

Int

0= Success

Negativ = Errors

Possitive = Warnings

StatusMessage

String

If StatusCode != 0 then StatusMessage will contain a description of the error or warning.

 

UserManagement Endpoint

The user management consisst of functions to manage users at Nets NemID repository.

Endpoint: https://<host>:<port>/sses400/ws/usermanagement.wsdl

 

Supported methods:

  • OrderCertificate

    • Create a user at Nets and order a certificate

  • UpdateUser

    • Update information on an existing user in the Nets user store

  • RevokeUser

    • Revoke a user’s certificate, but let the user be active in the Nets userstore

  • DeleteUser

    • Revoke certificate and delete the user at Nets

OrderCertificate

OrderCertificate orders a certificate from Nets.

The user object must exist in the User store (eDirectory).

When a certificate is ordered the following attributes will be set on the user object:

  • SSESCertificateStatus = 40

  • SSESCertificateSerialNumber = The CVR and RID of the Nets certificate waiting to be activated

  • SSESOrderingDate = date of the ordering

  • SSESIssueRefNo = RefNumber used for the activation (encrypted)

  • SSESInstallationCode = InstallationCode used for the activation (encrypted); this value will be sent over SMS to the user.

  •  

Request:

 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="http://liga.dk/smartsignatur/usermanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <user:OrderCertificateRequestType>

         <user:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </user:APIHeader>

         <user:OrderCertificateInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <user:LRACredentials>

               <user:UserId>Full LDAP Context of the AdminUser in eDirectory</user:UserId>

               <user:Password>Password og the Admin User</user:Password>

            </user:LRACredentials>

            <user:CVRNumber>Company CVR/VAT</user:CVRNumber>

            <user:Email>User Email</user:Email>

            <user:Name>Full Name</user:Name>

            <user:Street>Address</user:Street>

            <user:PostalCode>Zip</user:PostalCode>

            <user:CountryCode>DK</user:CountryCode>

            <!--Optional:--> <user:CertificateGroup>NetsCertGroup</user:CertificateGroup>

            <!--Optional:--> <user:UserRole>NetsUserRole</user:UserRole>

            <user:immediateIssuance>true/false</user:immediateIssuance>

            <user:emailInCertificate>true/false</user:emailInCertificate>

         </user:OrderCertificateInput>

      </user:OrderCertificateRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:UpdateUserResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/usermanagement">

         <ns2:StatusCode>0</ns2:StatusCode>

         <ns3:RequiresRenewal>false</ns3:RequiresRenewal>

      </ns3:UpdateUserResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

UpdateUser

Update an existing Nets User with a new set of attribute values.

If the updated values require the certificate to be re-issued the retured RequiresRenewal will be set to true.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="http://liga.dk/smartsignatur/usermanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <user:UpdateUserRequestType>

         <user:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </user:APIHeader>

         <user:UpdateUserInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <user:LRACredentials>

               <user:UserId>Full LDAP Context of the AdminUser in eDirectory</user:UserId>

               <user:Password>Password og the Admin User</user:Password>

            </user:LRACredentials>

            <user:SocialSecurityNumber>CPR</user:SocialSecurityNumber>

            <user:Email>Email</user:Email>

            <user:Name>Fullname</user:Name>

            <user:City>City</user:City>

            <user:Name>Full Name</user:Name>

            <user:Street>Address</user:Street>

            <user:PostalCode>Zip</user:PostalCode>

            <user:CertificateGroup>NetsCertGroup</user:CertificateGroup>

            <user:UserRole>NetsUserRole</user:UserRole>

         </user:UpdateUserInput>

      </user:UpdateUserRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:UpdateUserResponseType

      xmlns:ns2=http://liga.dk/smartsignatur/management

      xmlns:ns3="http://liga.dk/smartsignatur/usermanagement">

         <ns2:StatusCode>0</ns2:StatusCode>

         <ns3:RequiresRenewal>true/false</ns3:RequiresRenewal>

      </ns3:UpdateUserResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

RevokeCertificate

The setting CurrentOnly specifies whether all user certificates registered at Nets should be revoked or if only the certificate currently registered in SmartSignatur.

  •  CurrentOnly = false : revokes all Nets certificates for the users

  • CurrentOnly = true : revokes the current Nets certificate for the users, the current certificate is identified by the SSESCertificateSerialNumber on the user object.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="http://liga.dk/smartsignatur/usermanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <user:RevokeCertificateRequestType>

         <user:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </user:APIHeader>

         <user:RevokeCertificateInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <user:currentOnly>true/false</user:currentOnly>

            <user:LRACredentials>

               <user:UserId>Full LDAP Context of the AdminUser in eDirectory</user:UserId>

               <user:Password>Password og the Admin User</user:Password>

            </user:LRACredentials>

         </user:RevokeCertificateInput>

      </user:RevokeCertificateRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:RevokeCertificateResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/usermanagement">

         <ns3:Status>

            <ns2:StatusCode>0</ns2:StatusCode>

         </ns3:Status>

      </ns3:RevokeCertificateResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

DeleteUser

Deletes a Nets user and revokes the user’s certificate(s).

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:user="http://liga.dk/smartsignatur/usermanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <user:DeleteUserRequestType>

         <user:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </user:APIHeader>

         <user:DeleteUserInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

            <user:LRACredentials>

               <user:UserId>Full LDAP Context of the AdminUser in eDirectory</user:UserId>

               <user:Password>Password og the Admin User</user:Password>

            </user:LRACredentials>

         </user:DeleteUserInput>

      </user:DeleteUserRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:DeleteUserResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/usermanagement">

         <ns3:Status>

            <ns2:StatusCode>0</ns2:StatusCode>

         </ns3:Status>

      </ns3:DeleteUserResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

  

CertificateManagement Endpoint

The Certificate Management Endpoint is considered as a non-public API with the purpose to manage certificates for users and support the function in the SSES GlobalID Kiosk Client.

The Certificate Management SOAP services can be used freely, but Liga Software can change the interface and functionality without prior notification.

 

Endpoint: https://<host>:<port>/sses400/ws/certificatemanagement.wsdl

 

Supported methods:

  • GetUserStatus

    • Retrieve the user status from SSES

  • GetCertificate

    • Retrieve the user’s softkey certificate as a PKCS12 from SecretStore.

  • IssueCard

    • Issues a new card for a user; the Card Serial Number is written to the user object.

  • IssueCertificate

    • Issues a certificate from Nets and stores it as a softkey in SecretStore; the certificate is included in the result for store on smart card

  • RenewCertificate

    • Renewal of a softkey in SecretStore

  • SendInstallationCode

    • For identity proof, send the Installation Code to the user’s mobile phone number.

  • RevokeCard

    • Revokes an issued card’s Card Serial Number. Used when a card is lost or has a defect.

  • SetX9Certificate

    • Used for eID import to association of an existing certificate to a user, where the certificate is issued by another CA.

  • GetClientConfig

    • Used by the GlobalID Client from support of print and desfire/mifare encoding.

 

GetUserStatus

Used for verifying user credentials and get current status from the SmartSignatur Server.

Based on the current status the current stage and next steps for the user can be determined.

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:GetUserStatusRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:GetUserStatusInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

         </cer:GetUserStatusInput>

      </cer:GetUserStatusRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:GetUserStatusResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:GetUserStatusOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

            <ns3:CardID>Value of Current CardID</ns3:CardID>

            <ns3:SSESConfig>Current UserConfig</ns3:SSESConfig>

            <ns3:CertificateInfo>

               <ns3:CertificateStatus>Value of SSESCertificateStatus</ns3:CertificateStatus>

               <ns3:ValidTo>Date of current certificate ValidTo</ns3:ValidTo>

               <ns3:ValidFrom>Date of current certificate ValidFrom</ns3:ValidFrom>

            </ns3:CertificateInfo>

            <ns3:LoginInfo/>

         </ns3:GetUserStatusOutput>

      </ns3:GetUserStatusResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope> 

 

GetCertificate

If SecretStore is used for softkey storage the current user certificate will be output as a Base64 string of the PKCS12.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:GetCertificateRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:UserContext >

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

         </cer:UserContext>

      </cer:GetCertificateRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

 

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:GetCertificateResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:GetCertificateOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

            <ns3:PKCS12>Base64 of PKCS12</ns3:PKCS12>

         </ns3:GetCertificateOutput>

      </ns3:GetCertificateResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

IssueCard

Issued a card’s Serial Number to a user including a self-chosen Pin for the door system.

Because of different formats in different systems the value of the CNS must be the raw hex value; any transformation of the CSN to a door system, must be done within the integration to the door system.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:IssueCardRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:IssueCardInput >

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

            <cer:CardCSN>CSN of the issued Card</cer:CardCSN>

            <cer:CardPin>User choosen Pin</cer:CardPin>

         </cer:IssueCardInput>

      </cer:IssueCardRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:IssueCardResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:StatusType>

            <ns2:StatusCode>0</ns2:StatusCode>

         </ns3:StatusType>

      </ns3:IssueCardResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

IssueCertificate

Issue an already ordered Nets certificate. The certificate will be stored in SecretStore as a softkey.

The request must contain the user’s Ref number and installationCode from Nets.

When a certificate is issued the following attributes will be set on the user object:

 

  • SSESCertificateStatus = 80

  • SSESx509Identifier = Certificate Identifier used for Micro Focus Access Manager

  • SSESCertificateHash = Hash value used for Active Directory Login.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:IssueCertificateRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:IssueCertificateInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

            <cer:RefNo>Refno</cer:RefNo>

            <cer:InstallCode>InstallCode</cer:InstallCode>

         </cer:IssueCertificateInput>

      </cer:IssueCertificateRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:IssueCertificateResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:IssueCertificateOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

            <ns3:PKCS12>Base64 of PKCS12</ns3:PKCS12>

         </ns3:IssueCertificateOutput>

      </ns3:IssueCertificateResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

RenewCertificate 

Renew an already activated certificate from Nets; the certificate must be stored in SecretStore as a softkey.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:RenewCertificateRequestType>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:RenewCertificateInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

         </cer:RenewCertificateInput>

      </cer:RenewCertificateRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:RenewCertificateResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:RenewCertificateOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

            <ns3:PKCS12>Base64 of PKCS12</ns3:PKCS12>

         </ns3:RenewCertificateOutput>

      </ns3:RenewCertificateResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

SendInstallationCode

As an identity proof the InstallationCode will be sent to the user as a SMS.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:SendInstallationCodeRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:SendInstallationCodeInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

         </cer:SendInstallationCodeInput>

      </cer:SendInstallationCodeRequestType>

   </soapenv:Body>

</soapenv:Envelope>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:SendInstallationCodeRequestType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:SendInstallationCodeOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

         </ns3:SendInstallationCodeOutput>

      </ns3:SendInstallationCodeRequestType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

RevokeCard

If a card is lost or damaged the card can be revoked from the user.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:RevokeCardRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:RevokeCardInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

            <cer:Reason>Free-Text Message specifying the reason the revocation – Lost/Damaged</cer:Reason>

         </cer:RevokeCardInput>

      </cer:RevokeCardRequestType>

   </soapenv:Body>

</soapenv:Envelope>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:RevokeCardResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:RevokeCardOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

         </ns3:RevokeCardOutput>

      </ns3:RevokeCardResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

SetX509Certificate

For support of external issued certificates, a certificate can be uploaded to the user.

When a certificate is set the following attributes will be set on the user object:

 

  • SSESCertificateSerialNumber = The Subject from the certificate

  • SSESx509Identifier = Certificate Identifier used for Micro Focus Access Manager

  • SSESCertificateHash = Hash value used for Active Directory Login.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:SetX509CertificateRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:SetX509CertificateInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

            <cer:X509>BASE64 of the Certificate</cer:X509>

         </cer:SetX509CertificateInput>

      </cer:SetX509CertificateRequestType>

   </soapenv:Body>

</soapenv:Envelope>

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:SetX509CertificateResponceType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:SetX509CertificateOutput>

            <ns2:StatusCode>0</ns2:StatusCode>

         </ns3:SetX509CertificateOutput>

      </ns3:SetX509CertificateResponceType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

GetClientConfig

GetClientConfig is used by the SmartSignatur clients to get the print and Mifare layout for the user.

The response includes the values of the attributes specified for the configuration and an XML tag for the ID’s Print and Mifare layout.

 

Request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cer="http://liga.dk/smartsignatur/certificatemanagement" xmlns:man="http://liga.dk/smartsignatur/management">

   <soapenv:Header/>

   <soapenv:Body>

      <cer:GetClientConfigRequestType>

         <cer:APIHeader>

            <man:APIKey>AKIKey</man:APIKey>

            <man:APIApplication>APIApplication</man:APIApplication>

         </cer:APIHeader>

         <cer:GetClientConfigInput>

            <man:UserId>Full LDAP Context of the User in eDirectory</man:UserId>

            <man:Password>User Password</man:Password>

            <cer:ConfigCN>ID of the config</cer:ConfigCN>

         </cer:GetClientConfigInput>

      </cer:GetClientConfigRequestType>

   </soapenv:Body>

</soapenv:Envelope>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

 

Result:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

   <SOAP-ENV:Header/>

   <SOAP-ENV:Body>

      <ns3:GetClientConfigResponseType xmlns:ns2="http://liga.dk/smartsignatur/management" xmlns:ns3="http://liga.dk/smartsignatur/certificatemanagement">

         <ns3:GetClientConfigResponse>

            <ns2:StatusCode>0</ns2:StatusCode>

            <ns3:UserAttributes>

               <ns3:UserAttribute>

                  <ns3:userField>LDAP attribute 1 name</ns3:userField>

                  <ns3:value>Value of the attribute 1</ns3:value>

               </ns3:UserAttribute>

               <ns3:UserAttribute>

                  <ns3:userField>LDAP attribute 2 name</ns3:userField>

                  <ns3:value>Value of the attribute 2</ns3:value>

               </ns3:UserAttribute>

            </ns3:UserAttributes>

            <ns3:PrintConfig><![CDATA[<cardprint>…</cardprint>]]></ns3:PrintConfig>

            <ns3:MifareConfig><![CDATA[<mifare>…</mifare>]]></ns3:MifareConfig>

         </ns3:GetClientConfigResponse>

      </ns3:GetClientConfigResponseType>

   </SOAP-ENV:Body>

</SOAP-ENV:Envelope>

 

SmartSignatur attributes

User SSES Attributes

SSES maintains the following attributes on the users:

SSESAction

Used by SmartSignatur IDM Drivers. If not using MicroFocus IDM and SmartSignatur’s IDM Drivers, please implement IDM drivers for the action triggers below.

0 No Action

1 SSESSoap Driver will trigger the Ordering process

2 SSESSoap Driver will trigger revocation

3 SSESSoap Driver will trigger user deletion (including revocation)

SSESConfig

The assigned SSES profile for the user, please see separate guide for the SSESConfig attribute.

The value is set by the SSES HR portal when issuing a certificate.

SSESConfig can be set by an IDM system

SSESCertificateStatus

Values for progress for NETS/DANID certificate

SSESCertificateSerialNumber

RID and PID of Nets/DanID certificates

SSESValidFrom

Certificate valid from date

SSESValidTo

Certificate valid to date

SSESCertificateHash

SHA1 hash of the certificates public key, used for validation of the certificate and for 2-factor logon to Active Directory

SSESCertificateHistory

List over events, revocation, renewal

SSESx509Identifier

Used for Micro Focus Access Manager 2-factor Certificate login

SSESIssueRefNo

Encrypted value of the Nets/DanID reference number

SSESIssueOrderDate

Date when the certificate was ordered

SSESIssueInstallCode

Encrypted value of the Nets/DanID Installation code

SSESCardId

The raw CSN of the issued card; this number might need to be converted for FollowMe print to identify the card.

SSESCardPin

Pin code for physical door access.

NOTE: This will not be the same PIN as the smart card, since the Pin is often stored as clear text in physical access applications.

SSESSocialSecurityNumber

(optional) SecurityNumber of the user, if needed for FMK or other national services.

 

Base User Attributes used

SSES use the following base attributes on the users:

CN

UserID used for login

Mobile

Used for sending SMS with the installation code

 

Note: the attribute names can be mapped to other attributes using the LDAP group objects in eDirectory.

Status, Error codes and Troubleshooting

SSESCertificateStatus values

On each user the current status of the ordering, issue and renewal process is updated in each step. If a process is cancelled or an error was returned, the SSESCertificateStatus can help identify where in the process the user was.

0 or No value

No certificate issued or it is revoked

30

Success: Nets Issue Certificate started

31

Error: Nets Issue Certificate failed

40

Success: Nets Issue Certificate finished

42

User started the process of Issue from the Client

44

User started the process of Issue from the Browser

45

Web server process failed

46

Web server process succeeded

52

Success: StraksUdsted started

53

Error: StraksUdsted failed

54

Success: StraksUdsted finished

56

Success: ReNew request started (before send to Nets)

57

Error: ReNew failed

60

Success: Certificate Issue started (before Nets communication)

61

Error: Certificate Issue failed

70

Success: Certificate Issued (not yet stored)

71

ERROR: Certificate could not be stored in SecretStore

80

Success: Certificate Issued and Stored

 

Error codes

SSES Server Logfiles

%tomcathome%/logs/sses.log

BusinessLogs

Contains system related event that is not user related.

%tomcathome%/logs/debug/sses.log

Tracelog

Contains log over all user and web services event; both, requests and results are logged

 

SSES Soap Service Error code

 

 

 

 

 

Nets/DanID error codes

For error codes from Nets/DanID please referrer to the latest TU packages from nets.eu:

https://www.nets.eu/dk-da/kundeservice/nemid-tjenesteudbyder/NemID-tjenesteudbyderpakken