Installation Guide SmartSignatur SSES Server

Installation Guide SmartSignatur SSES Server

For SSES Server version 4.0.12

v1.2

 

Planning and overview

This Installation Guide provides instructions for installing the SmartSignatur Enrollment Server (SSES). This guide describes the process for installing individual components in a distributed environment.

The SmartSignatur SSES product consist of the following components:

  • WebService for CA communication

  • WebService for Client Enrollment, including kiosk client

  • Custom eDirectory schema and system objects for SSES

  • IDM driver for leveraging the WebService

  • IDM driver for setting SSES custom schema on users

  • Management portal for SSES Service

  • Management portal for Users and certificates

Overview

 

Requirements

OS support

SSES 4.0 is supported on Linux and Windows.

Java and Tomcat

Java version 1.8 or newer is required. SSES supports OpenJDK and Oracle JDK.

Tomcat version 7, 8 and 9 is supported.

The Java and Tomcat version installed with NetIQ iManager 2.7.x and 3.x, as a part of NetIQ Identity Manager, can co-host both SSES with NetIQ iManager.

This guide assumes that Java and Tomcat is already installed, either with NetIQ Identity Manager or a custom install of Java and Tomcat.

 

Nets WebService Agreement

Note: This is optional.

SSES 4 can automate ordering and revocation of certificates at Nets, leveraging the WebServices of Nets.

Nets WebSerivces are normally used for installations with a bigger user-base.

 

VOCES Certificate

The company’s VOCES certificate is used in the communication with Nets, for ordering and revocation of user certificates.

VOCES is optional, if the company do not have a VOCES certificate, the local certificate administrator must manually order and revoke certificates.

 

Webserver Certificate

All client and API communication must be secured with SSL; Tomcat must be configured with a *-Star or single DNS domain certificate.

 

User Attributes

The following information is required for user objects in eDirectory.

Required attributes:

  • CN (Login UserID)

  • Password (for validation in the GlobalID Kiosk Client)

  • Mobile (for 2-factor SMS-validation when issuing a certificate in the GlobalID Kiosk Client)

 

The following information is optional for user objects in eDirectory:

Optional attributes:

  • Internet Email Address (only required if email signing and encryption is required)

  • Full Name (Configurable in driver GCV)

  • homePostalAddress (Configurable in driver GCV)

  • homeZipCode (Configurable in driver GCV)

Note: if the users homePostalAddress and / or homeZipCode has no value, the Company address from the driver GCV’s is used.

 

eDirectory Universal Password Policies

Universal password must be configured, both for the SmartSignatur users and for the administrative SSES users.


Configuration

Updating to Java Unlimited Strength – Only for Oracle JDK

The JDK used by the Tomcat server must be patched with the relevant Java Unlimited Strength patch.

Java 7 Unlimited Strength

Copy the two JAR files from the installation set UnlimitedJCEPolicyJDK7 folder to the <java-home>/lib/security

The existing files can be overwritten or renamed, but do not use the JAR extension on backup files.

Restart the Tomcat server for the updated JAR files to take effect.

Java 8 Unlimited Strength

Copy the JAR files from the installation set UnlimitedJCEPolicyJDK8 folder to the <java-home>/lib/security.

The existing files can be overwritten or renamed, but do not use the JAR extension on backup files.

Restart the Tomcat server for the updated JAR files to take effect.

 

Preparation of certificate files

 

SSES uses five certificates:

CA Certs   

Trusted root certificates

eDirectory certificate  

Used for secure LDAP communication

VOCES certificate    

Used for 2-way SSL communication with Nets

WEB certificate 

Used for HTTPS client communication; this certificate must be trusted by client devices accessing SSES 

Note: this guide uses Java keytool to create .jks files. Keytool is located in the java/bin path (normally: %JAVA_HOME%/bin/keytool).

 

CA Certs

The trusted root certificates are part of Java. The default Java cacerts.jks can be used without any modifications.

The path and password to the cacerts.jks must be configured in the sses.properties file.

eDirectory CA certs

The eDirectory CA certificate is used by clients and SSES to store certificates and users. Follow the steps to export the current eDirectory CA certificate from the eDirectory.

 

 

Login into to NetIQ iManager as an admin equivalent account.

Select “Directory Administration” in the left menu 

Select the CA object in the security container.

Click “OK”.

Select “Certificates”.

Check the “Self Signed Certificate RSA”.

Click “Export”.

 

De-Select “Export private key”.

Select “DER” format.

Click “Next”.

 

Click “Save the exported certificate” and select a temp path for storing the file.

The file will be referenced to “SmartSignaturCA.DER” later in this installation guide.

keytool –import -keystore ldap_trust.jks –file SmartSignatur.der -alias ldap

Create a Java keystore with the “SmartSignaturCA.DER”.

Type in the password twice and answer “Yes” to trust the certificate.

The password to the .jks file will later be added to the sses.properties file.

 

Nets CA cert

A Link to the current Nets CA certificate can be found at: https://www.nets.eu/dk-da/kundeservice/NemID-Til-Private/Pages/Repository.aspx

As of mid-2019 the link is http://www.trust2408.com/repository/PCA.crt, but the link could change in the future.

 

curl http://www.trust2408.com/repository/PCA.crt --output PCA.crt

Download the current Net CA certificate

NOTE the CA certificate url can change.

keytool –import -keystore nets_trust –file PCA.crt -alias nets

Create a Java keystore with the “PCA.crt”

Type in the password twice and answer “Yes” to trust the certificate.

The password to the .jks file will later be added to the sses.properties file.

 

VOCES cert

The VOCES certificate is only necessary when using the optional Nets WebServices.

 

Get a copy of the customer’s current VOCES certificate or order one at Nets.

VOCES certificate normally comes as a P12 or PEM file.

Please consult Liga or Nets for ordering a VOCES certificate.

keytool –import -keystore voces –file voces.pem -alias voces

FOR PEM FILES:

Create a Java keystore with the “voces.pem”

Type in the password twice and answer “Yes” to trust the certificate.

The password to the .jks file will later be added to the sses.properties file.

keytool -importkeystore -srckeystore voces.p12 -srcstoretype pkcs12 -destkeystore voces.jks -deststoretype jks -destalias voces

FOR P12 FILES:

Create a Java keystore with the “voces.p12”

Type in the password twice and answer “Yes” to trust the certificate.

The password to the .jks file will later be added to the sses.properties file.

 

Webserver cert

For secure communication with clients an SSL-certificate is used, please note that the clients must trust the certificate. A Star-certificate can be used.

The certificate can be a PEM or JSK file; configuration is described later in this guide.

 

Installation

Schema Extensions

Import SmartSignatur Schema extensions.

 

Login into to NetIQ iManager as an admin equivalent account.

Select “Schema” -> “Extend Schema” in the left menu.

 

Click “Next”.

Select the file type “Schema File”.

Browse to the SSES.sch file.

 

Click “Next”.

Type the eDirectory server IP or DNS Name and LDAP port.

Depending on your configuration, SSL might be required.

Type the login info for an administrative user.

Click “Next”.

Click “Finish” to execute the command.

NetIQ Import Convert Export utility for NetIQ eDirectory

version: 40101.32

Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.

Source Handler: ICE SCH Data handler for NetIQ eDirectory (version: 40101.32 )

Destination Handler: ICE LDAP handler for NetIQ eDirectory (version: 40101.32 )

Getting source schema...done.

Summary :

    Total Records Parsed    = 23

    Attributes Parsed   = 20

    ObjectClasses Parsed    = 3

Getting destination schema...done.

Starting schema update...

Done.

Options Used:

 -l/var/opt/novell/iManager/nps/WEB-INF/temp/ice6127458283624300796/ice.log -e/var/opt/novell/iManager/nps/WEB-INF/temp/ice6127458283624300796/error.ldf -C -a -SSCH -f/var/opt/novell/iManager/nps/WEB-INF/temp/ice6127458283624300796/ice4065498808425533125.tmp -DLDAP -s192.168.10.44 -p636 -dcn=admin,ou=sa,o=system -L    var/opt/novell/iManager/nps/WEB-INF/temp/ice6127458283624300796/ice5569002045172553927.tmp -V    

Normal output without verbose logging.

 

Creating eDirectory Objects

SmartSignatur Admin Account

The SmartSignatur Admin account is used to modify user objects in eDirectory. The service Account must have the following eDirectory rights:

  • Browse rights to OU’s where users are placed.

  • Compare, Read and Write rights to all SSES:* attributes in OU’s where users are placed.

  • Browse and read rights to the SmartSignatur System OU object.

  • Optional if certificates are stored in NetIQ SecretStore: Access-right to write secrets in SecretStore on users is needed.

 

Universal Password Policies

Universal Password must be configured for SmartSignatur users and SSES administrative users.

 

SmartSignatur Admin Group

Member of this group will be able to order and revoke certificates for other users.

Create a group object; no eDirectory Rights is necessary.

 

SmartSignatur UI Admin Group

Member of this group will be able to help other users with issuing and renewing using the Kiosk client.

Create a group object for UI Admins; no eDirectory Rights is necessary.

 

SmartSignatur HR Admin Group

Member of this group will be able to manage users in the SmartSignatur HR Portal. The management includes: User creation, modification, deletion and group membership management.

Create a group object for HR Admins; no eDirectory Rights is necessary.

 

SmartSignatur Default System Objects

The SmartSignatur Configuration object contains:

  • Configuration of allowed certificate types, including key placement, print layout.

  • API Keys for client access.

BEFORE importing the LDIF file with the default configuration, please remember to replace the object placement, by replacing “ou=SmartSignatur,o=system” to the placement in the customer eDirectory.

 

 

Login into to NetIQ iManager as an admin equivalent account.

Select “eDirectory Maintenance” -> “Import Convert Export Wizard”.

Select “Import data from file on disk”.

Click “Next”.

Select file type “LDIF” and select the DefaultSSESObjects.ldif file from the SSESObjects folder in the installation.

Click “Next”.

Type the eDirectory server IP or DNS Name and LDAP port.

Depending on your configuration, SSL might be required.

Type the login info for an administrative user.

Click “Next”.

 

NetIQ Import Convert Export utility for NetIQ eDirectory

version: 40101.32

Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.

Source Handler: ICE LDIF handler for NetIQ eDirectory (version: 40101.32 )

Destination Handler: ICE LDAP handler for NetIQ eDirectory (version: 40101.32 )

ICE log file: /var/opt/novell/iManager/nps/WEB-INF/temp/ice8269428982201924432/ice.log

Start time: Wed Oct 23 11:56:24 2019

Press control-C to exit

Operation in progress ...

Warning: No version specified for LDIF file. Using version 1

Total entries processed: 3

Total entries failed: 0

End time: Wed Oct 23 11:56:24 2019

Total Time:  0:00:01.026

Time per entry: 00:00.342

Options Used:

 -l/var/opt/novell/iManager/nps/WEB-INF/temp/ice8269428982201924432/ice.log -e/var/opt/novell/iManager/nps/WEB-INF/temp/ice8269428982201924432/error.ldf -SLDIF -f/var/opt/novell/iManager/nps/WEB-INF/temp/ice8269428982201924432/ice2967398100369646576.tmp -DLDAP -s192.168.10.44 -p636 -dcn=admin,ou=sa,o=system -L var/opt/novell/iManager/nps/WEB-INF/temp/ice8269428982201924432/ice2837635283415718428.tmp -B

Normal output without verbose logging.

 

Customizing Card Print and Encode Configuration Object(s)

The SmartSignatur Card Print and Encode Configuration object contains:

 

  • Configuration of Mifare layouts for encoding cards

  • Configuration of Desfire layouts for encoding cards

  • Configuration of print layouts for cards

Please consult Liga for creation and modification of the SmartSignatur Card Print and Encode Configuration object(s).

 

Tomcat configuration

Configure Spring Profile – AZUL

??????? – HVAD ER KRÆVET – Haroldas and Ladivgs??? – HARD CODED PATH IN Application.yml - [TT1] 

Configure Spring Profile – ORACLE

Add the following line to the tomcat configuration file TOMCAT_HOME/conf/tomcat<x>.conf

JAVA_OPTS =”$JAVA_OPTS –Dspring.profiles.active=prod”

The line must be copied after the first JAVA_OPTS setting in the configuration file.

Certificate files and sses.properties

Copy the five certificate .jks and keystore files, from the section “Preparation of certificate files” and the sses400 directory from the SmartSignatur installation set to the folder /var/opt/sses400.

Certificate files and sses.properties

Copy the five certificate jks and keystore files, from the section “Preparation of certificate files” and the sses400 directory from the SmartSignatur installation set to the folder /var/opt/sses400

Update Tomcat server.xml

Ensure that port numbers are unique and paths, passwords for keystore and truststore are correct.

·       Default NonSSLPort: 8080

·       Default SSLPort: 8443

·       Password and path for webserver certificate

Add the following to the existing server.xml

<Connector port="<NonSSLPort>" protocol="HTTP/1.1"

                  connectionTimeout="20000" maxHttpHeaderSize="8192"

                  maxThreads="150" minSpareThreads="25"

                  enableLookups="false" redirectPort="<SSLPort>" acceptCount="100"

                  disableUploadTimeout="true"/>

 

<Connector port="<SSLPort>" protocol="HTTP/1.1" SSLEnabled="true"

                  maxThreads="150" maxHttpHeaderSize="8192" minSpareThreads="25"

                  enableLookups="false" disableUploadTimeout="true"

                  acceptCount="100" scheme="https" secure="true"

                  clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"

                  keystoreFile="/var/opt/sses400/web_server.jks"

                  keystorePass="<TrustStorePassword>"/>

 

Configuration of SSES

Copy the default sses.properties from the installation set to the path /var/opt/sses400 and edit the file.

Change the following settings:

encryption.password=<RandomEncryptionKey>

Set a random text string (no spaces) of at least 32 chars.

 

The encryption.password is used for encryption and decryption of settings in the sses.properties file

Password encryption

All passwords for system accounts, JKS and Keystores are stored encrypted in configurations files, using the value of encryption.password.

Use the file CryptoService-1.0.jar encrypt a string using the following:

%JAVA_HOME%/bin/java –jar CryptoService-1.0.jar encrypt <Value of encryption.password> data

Sample:

%JAVA_HOME%/bin/java –jar CryptoService-1.0.jar encrypt SecretKey1234567890aBcdEfGadfdsaft cn=SmartSignaturAdmin,ou=sa,o=system

SSES Configuration update

Change the following settings in the sses.properties file:

ldap.config.provider.url=<host>:<port>

The eDirectory server and port used for secure LDAP communication

idm.ldap.config.adminGroup=<groupFDN>

LDAP FDN to Group object. Memebers in this group can manage the SmartSignatur server

idm.ldap.config.ui.adminGroup=<groupFDN>

 

idm.ldap.config.ui.hr.adminGroup=<groupFDN>

LDAP FDN to Group object. Memebers in this group can manage users the SmartSignatur portal

idm.ldap.config.admin.principal=<EncryptedAccountFDN>

Encrypted LDAP FDN to SmartSignatur Administrative Service Account

idm.ldap.config.admin.credentials=<EncryptedPassword>

Encrypted password for the SmartSignatur Administrative Service Account

idm.ldap.config.root=OU=SmartSignatur,O=System

LDAP FDN to SmartSignatur Configuration Object. Containing Print and Card configurations.

idm.ldap.config.users.root=ou=users,o=data

Root OU for SmartSignatur objects, used for user management in the portal

idm.ldap.config.groups.root=ou=groups,o=data

Root OU for SmartSignatur objects, used for group management in the portal

idm.ldap.config.cert.search.root=o=data

Root OU for SmartSignatur objects, when using web service API

nets.certificate.provider.config.selfservice.keystore.password=<EncryptedPasswordToJKSFile>

Encrypted version of the password to the voces jks file

nets.certificate.provider.config.selfservice.keystore.name=<PathToVocesJKSFile>

Path to the voces jks file

nets.certificate.provider.config.truststore.password=<EncryptedPassword>

Encrypted version of the password to the cacerts.jks file

idm.ldap.config.truststore.password=<EncryptedPassword>

Encrypted version of the password to the ldap_trust.jks file

nets.webservice.enabled=true

Set to true if customer have VOCES and Nets WebServices

 

Set to false if customer don’t have VOCES or Nets WebServices

Deploy SSES

Copy the SSES war file from the installations set’s webapps folder to the servers tomcat webapps folder.

The war file will auto deploy within a few minutes. If autodeploy is disabled access tomcat to manually deploy the war file.

SmartSignatur attributes

User SSES Attributes

SSES maintain the following attributes on the users:

SSESAction

0 No Action

1 SSESSoap Driver will trigger the Ordering proccess

2 SSESSoap Driver will trigger revocation

3 SSESSoap Driver will trigger user deletion (including revocation)

SSESConfig

The assigned SSES profile for the user, please see separate guide for the SSESConfig attribute.

SSESCertificateStatus

Values for NETS/DANID as CA:

0    No certificate ordered or it is revoked (or no value)

30 Success: Nets order Certificate started

31 Error: Nets order Certificate failed

40 Success: Nets order Certificate finished

42 User started the process of Issue from the Client

44 User started the process of Issue from the Browser

45 Web server process failed

46 Web server process success

52 Success: StraksUdsted started

53 Error: StraksUdsted failed

54 Success: StraksUdsted finished

56 Success: ReNew request started (before send to Nets)

57 Error: ReNew failed

60 Success: Certificate Issue started (before Nets comm.)

61 Error: Certificate Issue failed

70 Success: Certificate Issued (not yet stored)

71 ERROR: Certificate could not be stored in SecretStore

80 Success: Certificate Issued and Stored

SSESCertificateSerialNumber

RID and PID of Nets/DanID certificates

SSESValidFrom

Certificate valid from date

SSESValidTo

Certificate valid to date

SSESCertificateHash

SHA1 hash of the certificates publickey, used for validation of the certificate and for 2-factor logon to Active Directory.

SSESCertificateHistory

List over events, revocation, renewal

SSESx509Identifier

Used for NetIQ Access Manager 2-factor Certificate login

SSESIssueRefNo

Encrypted value of the Nets/DanID reference numer

SSESIssueOrderDate

Date when the certificate was ordered

SSESIssueInstallCode

Encrypted value of the Nets/DanID Installation code

SSESCardId

The raw CSN of the issued card, this number might need to be converted for FollowMe print to identify the card.

SSESCardPin

Pincode for physical door access.

NOTE: This will not the same PIN as the smartcard, since the pin is offen in clear text in physical access applications.

SSESSocialSecurityNumber

(optional) SecurityNumber of the user, if needed for FMK or other national services.

 

SmartSignatur IDM Drivers

 

SSES comes with two default drivers for a single eDirectory setup and additional rules for Active Directory 2-Factor Login.

IDM Drivers – Single eDirectory

Implement the following drivers in the eDirectory that SSES does LDAP communicates with Nets/DanID and updating object classes. 

SSES Loopback DThe loopback driver is responsible for:

 

·       Setting the custom SSES object class on User objects.

·       Handle delayed delete of users object after all certificates are revoked.

 

To implement the driver:

·       Import the driver configuration file loopSSES.xml

·       Change the log path to reflect the customer environment

·       Deploy the driver and set rights and excluded object.

·       Start the driver.

·       Verify the log file for errors

·       Migrate a single user on the driver to verify it is working.

·       Verify the log file for errors

·       Migrate all users on the driver to add the attribute class.

SSES WebService Driver

The loopback driver is responsible for:

·       Ordering new certificates at Net DanID

·       Revoke certificates at Net DanID, both for revocation and user deletion

 

To implement the driver:

·       Import the driver configuration file soapSSES.xml

·       Change the log path to reflect the customer environment

·       Change Driver Configuration -> Driver Parameters -> Subscriber Options -> to reflect the customer environment

·       Change GCV’s to reflect the customer environment

·       Deploy the driver and set rights and excluded object.

·       Start the driver.

·       Verify the log file for errors

·       Test a single user on the driver to verify it is working.

AD Driver(s)

The changes to the AD driver is responsible for:

·       Setting AD attributes for enabling 2-factor login

·       Setting AD attributes for enabling FollowMe Print with AD integration

·       CardID must be converted to FollowMe format

·       Handle delayed deletes when AD is the master directory and delete originates from AD

 

To enable 2-factor login the attribute altSecurityIdentities must be updated to the value of SSESCertificateHash after a certificate is issued.

To enable AD integrated FollowMe Print the SSESCardID attribute must be updated in AD, the attribute used for FollowMe Print is configured different at each customer, please add the right attribute in the schemamapping below.

Filter

Add SSESCertificateHash and SSESCardID to the AD Driver Filter.

Schema Mapping

Add the following to the AD Driver schema mapping, change the yellow marked department to the attribute FollowMe is using in AD:

<attr-name class-name="User">

      <nds-name>SSESCertificateHash</nds-name>

      <app-name>altSecurityIdentities</app-name>

</attr-name>

<attr-name class-name="User">

      <nds-name>SSESCardID</nds-name>

      <app-name>department</app-name>

</attr-name>

 

Schema Mapping

The hash of the users certificate is stored in the attribute SSESCertificateHash, the value is used for 2-factor login to Windows.

Output transform

Please see the sample code for an Output transform rule in the file “AD_driver_CertificateHash_addon.xml”

 

Convert SSESCardID to FollowMe format

The SSESCardID stored in eDirectory is the raw card Serial Number. Since each integration to door systems or FollowMe print may use different formats for the CSN, a transformation from the raw CSN format to the applications format must be included in the driver.

Please see the sample code for an Output transform in the files “AD_driver_CardID_addon.xml”

Delayed deletes from AD

If Active Directory is used for manual user administration, a special User deletion policy must ensure that certificates are cleaned up at Nets.

Please see the sample code for an Event transform in the files “AD_driver_Delete_addon.xml”

 

SmartSignatur Management

 

The SmartSignatur Management page is available on: LINK

Dashboard

Dashboard gives an overview of the running services and user count

Logs

The three logfiles can be viewed from the management portal. Application Event, Client Events and User Events.

Upload certificate

To upload a certificate to a user you will need the users FDN in LDAP, users current password, PKCS12 file and password for the PKCS12 file.

Certificate History

To view certificate history on a user you will need the users FDN in LDAP, users current password

Certificate validity

The Certificate Validity lists users that must renew the certificate within a given period.

User and Certificate Management

 

The SmartSignatur Management page is available on: LINK

Manage Users

List all users, or use the filtering on names at the top right corner.

View and Edit User

Show the SSES attributes and general information on a user. If the user has a certificate it can be revoked.

Create User

User can be create with the basic information for issuing certificates.

View and Edit User – Issue Certificate

Show the SSES attributes and general information on a user. If the user do not have a certificate it can be ordered.

Manage Groups

Shows a list over all groups.

Search users based on fullname, company, phone number or SSESCertificateStatus.

Status, Errorscodes and Troubleshooting

 

On each user the current status of the ordering, issue and renewal process is updated in each step, if a process is cancelled or a error was returned, the SSESCertificateStatus can help identify where in the process the user was.

0 or No value

No certificate issued or it is revoked

30

Success: Nets Issue Certificate started

31

Error: Nets Issue Certificate failed

40

Success: Nets Issue Certificate finished

42

User started the process of Issue from the Client

44

User started the process of Issue from the Browser

45

Web server process failed

46

Web server process success

52

Success: StraksUdsted started

53

Error: StraksUdsted failed

54

Success: StraksUdsted finished

56

Success: ReNew request started (before send to Nets)

57

Error: ReNew failed

60

Success: Certificate Issue started (before Nets communication)

61

Error: Certificate Issue failed

70

Success: Certificate Issued (not yet stored)

71

ERROR: Certificate could not be stored in SecretStore

80

Success: Certificate Issued and Stored

SSESAction is used to trigger a SSES Event on the user, SSESConfig must be set on the user before SSESAction is set.

0 or No value

No action

0

Previous action was executed (same as no value)

1

Order a certificate(s), the certificate type, CA and print configuration is set in SSESConfig attribute.

2

Revoke certificate(s) arrording to the SSESConfig attribute.