Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to configure Tomcat for TLS client authentication in Protocol Gateway

TLS client authentication is a prerequisite for EST, ACME and Certificate Manager REST API. 

Expand/Collapse All

Prerequisites

The following prerequisites apply:

Step-by-step instruction

Create a PKCS#12 token procedure Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings: 

  1. Set Procedure name to System Token Procedure P12.
  2. In Storage profile, select PKCS12.
  3. In Issuer certificates, check Store all

For more information, see Create token procedure in Certificate Manager.

A TLS soft token is needed for Tomcat from the PKCS#12 token procedure that was created:

Issue a software token, according to Issue software token in Certificate Manager with the following settings:

  1. Set File for Media to \Nexus\Tomcat\conf\localhost-rsa.p12.
  2. In Procedure name, select System Token Procedure P12.
  3. In Common Name, enter cm.local

To create a keystore: 

  1. Open KeyStore Explorer.
  2. Click Create a new KeyStore.
  3. In New KeyStore Type, check JKS
  4. Click Tools > Import Trusted Certificate and select System CA.cer
  5. Save the keystore as \Nexus\Tomcat\conf\trusted.jks in the same directory as the file localhost-rsa.p12 that you just created. 

Tomcat must be configured for TLS both without client authentication (for the cacert endpoint) and TLS with client authentication (for certificate requests). 

  • Open \Nexus\Tomcat\conf\server.xml for editing.
  • Configure connectors for TLS with client authentication and TLS without client authentication (with clientAuth set to true and false, respectively.

    EST configuration

    For use with the EST protocol, there must be a connector with clientAuth set to false. since the /cacerts endpoint must NOT be protected behind client authentication. 

    For both connectors, set the following parameters:

    1. Set keystoreFile to conf/localhost-rsa.p12.
    2. Set keystorePass to the configured PIN of localhost-rsa.p12.
    3. Set truststoreFile to conf/trusted.jks.
    4. Set truststorePass to the configured PIN of trusted.jks.

Example for Tomcat version 8 or earlier

Example for Tomcat <= 8: server.xml - Tomcat connector with client authentication
<Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="true" sslProtocol="TLS"
     keystoreFile="conf/localhost-rsa.p12"
     keystorePass="abcd1234" keystoreType="PKCS12"
     truststoreFile="conf/trusted.jks" truststorePass="1234" truststoreType="JKS" 
/>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="conf/localhost-rsa.p12"
     keystorePass="abcd1234" keystoreType="PKCS12"
     truststoreFile="conf/trusted.jks" truststorePass="1234" truststoreType="JKS" 
/>

Example for Tomcat version 9

Example for Tomcat 9: server.xml - Tomcat connector with client authentication
<Connector
        port="8444"
        protocol="HTTP/1.1"
        SSLEnabled="true"
        maxPostSize="-1"
        scheme="https"
        secure="true">
        <SSLHostConfig
            ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,
                TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
            honorCipherOrder="true"
            sslProtocol="TLSv1.3"
            protocols="TLSv1.2,+TLSv1.3"
            certificateVerification="required"
            truststoreFile="conf/trusted.jks"
            truststorePassword="changeit"
            truststoreType="JKS"
            >
            <Certificate
                certificateKeystoreFile="conf/Nexus-Server_Certificate.p12"
                certificateKeystorePassword="1234"
                certificateKeystoreType="PKCS12"
                />
        </SSLHostConfig>
    </Connector>
  1. Restart the Tomcat service.