Configuring the Web Server
To configure and the run the Web Server, you need to configure the IDPV Server parameters that are present in the appsettings.yml
file. The appsettings.yml
file give below is placed under the /var/thales/config
directory.
Configuring General Web Server Settings
Refer to the following table for the configurations:
Parameters | Description | Example |
---|---|---|
ServerPublicUrl |
The IDPV server hosting URL (public or intranet) which is accessible from client machines. Type: Mandatory |
ServerPublicUrl: “https://<IDPV Server URL.com>/” |
TlsCertificateThumbprint |
TLS certificate thumbprint value (using thumbprint algorithm SHA-1 or SHA-2) must be provided to host the IDPV server on https. This value is used internally for pin derivation. Type: Mandatory |
Example with thumbprint algorithm SHA-1:TlsCertificateThumbprint: 12168c0721d6795d0d693928f963609f005d4b50 Note There is one space after : in above examples. |
SelfServicePortalUrl |
If you are using Self-Service Portal, provide the public base URL of SSP accessible from client machines. Type: Optional |
SelfServicePortalUrl: "https://idpvselfserviceportal.com/" |
ShowSwaggerAPI |
If this value is set to false, swagger UI is hidden. If this parameter is set to true or this setting is removed, then swagger UI is shown on the browser. Type: Optional |
ShowSwaggerAPI: true |
Configuring HTTPS Setting for Web Server
Refer to the following table for the configurations:
Parameters | Description | Example |
---|---|---|
Path | Specify the path to the certificate file. This certificate is required to host server on https. | Path: /publish/Config/<filename>.pfx |
Password | Password used at the time of certificate creation. | Password: pass123 |
URL | Provide the server URL and change * accordingly. Note: Port number should remain untouched. |
URL: 'https://*:5001' |
To provide the values of path and password parameters. Refer to the below section.
Configuring Application for Key Rotation
The key rotation occurs at predefined intervals (in hours). This service is applicable for Azure tenants only from SafeNet IDPV v2.5 onwards.
Refer to the following table for the configurations:
Parameters | Description | Example |
---|---|---|
KeyRotationRefreshIntervalInHrs | Specify the period in hours as per your preferred configuration. Default: 0, indicating that automatic key rotation is disabled. This parameter is added in the appsettings.yml file, allowing you to define the automatic execution of the keyrotation service at pre-configured intervals. You can enable or disable this service as per your preferred configuration. To enable key rotation, you need to modify the parameter value as per your preferred configuration.Maximum Value: 1190 This parameter is added in SafeNet IDPV v2.5. Note: Before enabling the service, you need to update the tenant IdP configuration according to the latest idpconfig.json file, refer to the Microsoft Entra ID (Azure AD) integration documentation. After updating the tenant IdP configuration file, in the idpconfig.json file, set the -j flag to true (default value: false) at the tenant level. If you do not want to use the key rotation service, the above changes are not required. In the appsettings.yml file, if you set the value of the KeyRotationRefreshIntervalInHrs parameter to 0, yet the tenant has key rotation enabled, the key rotation process will initiate immediately upon a user authentication failure caused by a signing key mismatch. |
KeyRotationRefreshIntervalInHrs: 2 |
Enabling SSL and TLS
This section describes how to enable Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections for the IDPV server.
There are two ways to configure SSL/TLS:
Using a self-signed certificate
This is only for testing purposes. It is highly recommended to use SSL certificates signed by established and known CA installed on your host, and added to the local machine trusted store.
Create a self-signed certificate
-
Enter the following command to create key and certificate on IDPV Server:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /var/thales/config/privatekey.key -out /var/thales/config/server.crt
After running this command, you will be asked to enter information that will be incorporated into your certificate request which will used as a Distinguished Name or a DN.
Make sure to provide your server hostname in the common name field. You can find out the hostname by running hostname command. -
Use the following command to create pfx from .crt and .key:
openssl pkcs12 -export -out /var/thales/config/certificate.pfx -inkey /var/thales/config_clone/privatekey.key -in /var/thales/config_clone/server.crt
While executing this command it will ask you to create the certificate password which will be used in the appsettings.yml in the Kestrel section.
-
Use the following command to enable access to the certificate:
chmod 755 certificate.pfx
Provide the path of self-signed certificate in appsettings.yml
with password.
-
Copy the certificate (
.pfx
file) to the following configuration directory:/var/thales/config/
. -
Update the
Secret
orappsettings.yml
config file as per the following case:For Docker
Update the .pfx path inappsettings.yml
file under Kestrel > EndPoints > Https > Certificate.Path: /publish/Config/<filename>.pfx
For Kubernetes
Update the .pfx path inappsettings.yml
file under Kestrel > EndPoints > Https > Certificate to update the Secret created in step 2 of Deploying IDPrime Virtual Server in Kubernetes.Path: /publish/Config/<filename>.pfx
If you wish to update the certificate for already running container then perform the above steps and then restart container using the below commands given in step 3.
-
Restart the Docker container using the following command:
docker restart <idprimevirtualserver>
For RHEL 8 or 9 with podman environment, the command is:
podman restart <idprimevirtualserver>
Certificate must be trusted on the client machine, else the connection won't be established.
Using a certificate issued by an established CA Server
The first approach is less secure, therefore it is recommended to use a certificate issued by an established CA. If a CA-signed certificate is used, ensure CA-signed certificate is installed on your host and added to the local machine trusted store. Click here to provide the path of CA certificate in appsettings.yml with password.
Configuring Signature Web Service
Refer to the following table for the configurations:
Parameters | Description | Example |
---|---|---|
EnableSADValidation |
This value is recommended to enhance security while signing with SWS Signatures/SignHash API. Type: Mandatory Default: False |
EnableSADValidation:false |
EnableSWSMultiTenant |
This value is recommended to support multitenant with SWS API. Type: Mandatory Default: False |
EnableSWSMultiTenant:false |
Multisign |
This value is recommended to define maximum number of signatures allowed at a time with the Signatures/SignHash API. The multi-sign configuration value is between 1 to maximum 25. Type: Mandatory Default: 5 |
Multisign: 5 |