Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Prerequisites for IDPV Server

Configuring the Web Server

search

Configuring the Web Server

To configure and the run the Web Server, you need to configure the IDPV Server parameters that are present in the appsettings.yml file. The appsettings.yml file give below is placed under the /var/thales/config directory.

appsettings

Configuring General Web Server Settings

Refer to the following table for the configurations:

Parameters Description Example
ServerPublicUrl The IDPV server hosting URL (public or intranet) which is accessible from client machines.
Type: Mandatory		 ServerPublicUrl: “https://<IDPV Server URL.com>/”
TlsCertificateThumbprint TLS certificate thumbprint value (using thumbprint algorithm SHA-1 or SHA-2) must be provided to host the IDPV server on https.
This value is used internally for pin derivation.
Type: Mandatory		 Example with thumbprint algorithm SHA-1:
TlsCertificateThumbprint: 12168c0721d6795d0d693928f963609f005d4b50
Note There is one space after : in above examples.
SelfServicePortalUrl If you are using Self-Service Portal, provide the public base URL of SSP accessible from client machines.
Type: Optional		 SelfServicePortalUrl: "https://idpvselfserviceportal.com/"
ShowSwaggerAPI If this value is set to false, swagger UI is hidden. If this parameter is set to true or this setting is removed, then swagger UI is shown on the browser.
Type: Optional		 ShowSwaggerAPI: true

Configuring HTTPS Setting for Web Server

Refer to the following table for the configurations:

Parameters Description Example
Path Specify the path to the certificate file. This certificate is required to host server on https. Path: /publish/Config/<filename>.pfx
Password Password used at the time of certificate creation. Password: pass123
URL Provide the server URL and change * accordingly.
Note: Port number should remain untouched.		 URL: 'https://*:5001'

To provide the values of path and password parameters. Refer to the below section.

Configuring Application for Key Rotation

The key rotation occurs at predefined intervals (in hours). This service is applicable for Azure tenants only from SafeNet IDPV v2.5 onwards.

Refer to the following table for the configurations:

Parameters Description Example
KeyRotationRefreshIntervalInHrs Specify the period in hours as per your preferred configuration.
Default: 0, indicating that automatic key rotation is disabled.
This parameter is added in the appsettings.yml file, allowing you to define the automatic execution of the keyrotation service at pre-configured intervals. You can enable or disable this service as per your preferred configuration. To enable key rotation, you need to modify the parameter value as per your preferred configuration.
Maximum Value: 1190

This parameter is added in SafeNet IDPV v2.5.

Note: Before enabling the service, you need to update the tenant IdP configuration according to the latest idpconfig.json file, refer to the Microsoft Entra ID (Azure AD) integration documentation.

After updating the tenant IdP configuration file, in the idpconfig.json file, set the -j flag to true (default value: false) at the tenant level.
If you do not want to use the key rotation service, the above changes are not required.
In the appsettings.yml file, if you set the value of the KeyRotationRefreshIntervalInHrs parameter to 0, yet the tenant has key rotation enabled, the key rotation process will initiate immediately upon a user authentication failure caused by a signing key mismatch.		 KeyRotationRefreshIntervalInHrs: 2

Enabling SSL and TLS

This section describes how to enable Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections for the IDPV server.

There are two ways to configure SSL/TLS:

Using a self-signed certificate

This is only for testing purposes. It is highly recommended to use SSL certificates signed by established and known CA installed on your host, and added to the local machine trusted store.

Create a self-signed certificate

  1. Enter the following command to create key and certificate on IDPV Server:

    

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/thales/config/privatekey.key -out /var/thales/config/server.crt

    After running this command, you will be asked to enter information that will be incorporated into your certificate request which will used as a Distinguished Name or a DN.
    Make sure to provide your server hostname in the common name field. You can find out the hostname by running hostname command. RSA private key

  2. Use the following command to create pfx from .crt and .key:

    

    openssl pkcs12 -export -out /var/thales/config/certificate.pfx -inkey /var/thales/config_clone/privatekey.key -in /var/thales/config_clone/server.crt

    While executing this command it will ask you to create the certificate password which will be used in the appsettings.yml in the Kestrel section.

  3. Use the following command to enable access to the certificate: chmod 755 certificate.pfx

Provide the path of self-signed certificate in appsettings.yml with password.

  1. Copy the certificate (.pfx file) to the following configuration directory: /var/thales/config/.

  2. Update the Secret or appsettings.yml config file as per the following case:

    For Docker
    Update the .pfx path in appsettings.yml file under Kestrel > EndPoints > Https > Certificate.

    Path: /publish/Config/<filename>.pfx

    For Kubernetes
    Update the .pfx path in appsettings.yml file under Kestrel > EndPoints > Https > Certificate to update the Secret created in step 2 of Deploying IDPrime Virtual Server in Kubernetes.

    Path: /publish/Config/<filename>.pfx

    If you wish to update the certificate for already running container then perform the above steps and then restart container using the below commands given in step 3.

  3. Restart the Docker container using the following command:

    

    docker restart <idprimevirtualserver>

    For RHEL 8 or 9 with podman environment, the command is:

    

    podman restart <idprimevirtualserver>

Certificate must be trusted on the client machine, else the connection won't be established.

Using a certificate issued by an established CA Server

The first approach is less secure, therefore it is recommended to use a certificate issued by an established CA. If a CA-signed certificate is used, ensure CA-signed certificate is installed on your host and added to the local machine trusted store. Click here to provide the path of CA certificate in appsettings.yml with password.

Configuring Signature Web Service

Refer to the following table for the configurations:

Parameters Description Example
EnableSADValidation This value is recommended to enhance security while signing with SWS Signatures/SignHash API.
Type: Mandatory
Default: False		 EnableSADValidation:false
EnableSWSMultiTenant This value is recommended to support multitenant with SWS API.
Type: Mandatory
Default: False		 EnableSWSMultiTenant:false
Multisign This value is recommended to define maximum number of signatures allowed at a time with the Signatures/SignHash API. The multi-sign configuration value is between 1 to maximum 25.
Type: Mandatory
Default: 5		 Multisign: 5

On this page