Install Protocol Gateway
This article describes how to install the Protocol Gateway component in Smart ID Certificate Manager.
The CM client installation package must be installed on the Protocol Gateway host. Select the PGW component to install. Optionally the AWB and RA clients may be selected since they are required for the tasks below. This will make all necessary files available on the Protocol Gateway host. Normally, the Protocol Gateway host would not be the same as the CM server host. However, multiple hosts is not a requirement for completing this setup. The variables used in file path specifications are defined as follows:
<configroot>
On Windows, <configroot> corresponds to %ALLUSERSPROFILE%/Nexus/cm-gateway/
On Linux to /var/cm-gateway/.
<client_root> - refers to the base folder of a CM client installation.
<CATALINA_BASE> - refers to the base folder of an Apache Tomcat instance. If Apache Tomcat is not set up to run several instances this variable references the same folder as CATALINA_HOME.
<CATALINA_HOME> - refers to the base folder of an Apache Tomcat installation.
Prerequisites
Protocol Gateway requires the following external components for its operations:
The CM server installation (Nexus CF service) in the network must be available for the issuing of certificates
Apache Tomcat 10.1 as servlet container must be installed on the Protocol Gateway host. Download Apache Tomcat from http://tomcat.apache.org
The CM client tools AWB and RA are required to setup the CA and policy objects that are used by Protocol Gateway.
A 64-bit version of Java 17 must be installed on the Protocol Gateway host. Download Java from openjdk.java.net or oracle.com.
The CM server must be available to issue certificates. See
Step-by-step instruction
Install CM clients with Protocol Gateway option
If the Protocol Gateway client is not already installed:
Follow the steps in either of these instructions and make sure to check Protocol Gateway in the list of clients, as well as Administrator's workbench (AWB) and Registration Authority (RA) that are needed to set up CA and policy objects:
Copy Protocol Gateway .war file
To copy the Protocol Gateway .war file:
Go to the CM installation folder, for example \CM\clients\web\pgwy\.
Copy the file pgwy.war file to the Tomcat webapps folder, for example \Tomcat\webapps.
Start Tomcat. After the startup is complete, just stop it again.
When Protocol Gateway is started the first time, the \conf folder and initial configuration files will be created, for example C:\ProgramData\Nexus\cm-gateway\conf\. Error messages can be ignored at this point.
Deploy Protocol Gateway
The following actions perform a static deployment of the Protocol Gateway application in Apache Tomcat. The Protocol Gateway application is delivered as a web archive file, pgwy.war, which is located in a CM client installation.
Copy the pgwy.war file from the <client_root>/web/pgwy folder to the <CATALINA_BASE>/webapps folder.
Start Apache Tomcat. After the startup is complete, just shutdown Apache Tomcat again. When Protocol Gateway is started the first time the <configroot>/conf folder and initial configuration files will be created. Error messages can be ignored at this point.
Configure Tomcat service
On Windows
Run the Tomcat application.
For how to setup Apache Tomcat 10.1 as a Windows service see Apache Tomcat 10. Tomcat10w is a GUI application for monitoring and configuring Apache Tomcat services. Start the Tomcat10w.exe application to configure the Apache Tomcat properties and to set the Java parameters that are required by the Protocol Gateway application.Go to the Logging tab, and set Log path to C:\ProgramData\Nexus\cmgateway\logs..
Go to the Java tab, and set the following properties:
Example: Java options
CODE-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\ProgramData\Nexus\cm-gateway\conf\logging.properties -Dnexus.var=C:\ProgramData\Nexus\cm-gateway
On Linux
Open the script file setenv.sh in the Apache Tomcat bin folder for editing.
Set the following options in
CATALINA_OPTS
as a string separated by spaces.Example: Set options in setenv.sh
CODECATALINA_OPTS="-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.util.logging.config.file=/var/cm-gateway/conf/logging.properties \ -Dnexus.var=/var/cm-gateway"
Note: Configuring Protocol Gateway as a service on Linux depends on the distribution used and is not covered here.
Do not restart Tomcat yet.
Restarting Tomcat would lead to an error message, since Protocol Gateway is not yet configured.
Secure Tomcat service - recommendations
Securing the Apache Tomcat Service is outside the scope of the Protocol Gateway application. Here are some recommended steps to secure the Tomcat service:
Disable TLSv1.0 and TLS1.1 protocols and allow only strong ciphers. In the file: <CATALINA_BASE>/conf/server.xml modify the SSLHostConfig, so it includes the attribute:
protocols="TLSv1.3,TLSv1.2"
Enable only strong ciphers and force the clients to respect the server's cipher order. In the file: <CATALINA_BASE>/conf/server.xml modify the SSLHostConfig, so it includes the attributes:
honorCipherOrder="true"
ciphers="HIGH:!3DES:!DES:!SHA1:!SHA256:!SHA384:!SEED"
Example server.xml connector configuration.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig
honorCipherOrder="true"
ciphers="HIGH:!3DES:!DES:!SHA1:!SHA256:!SHA384:!SEED"
protocols="TLSv1.3,TLSv1.2"
truststoreFile="keystore.jks"
truststorePassword="xxx"
certificateVerification="none">
<Certificate
certificateKeystoreFile="conf/localhost-rsa.p12"
certificateKeystorePassword="1234"
certificateKeystoreType="PKCS12"
type="RSA" />
</SSLHostConfig>
</Connector>
Initial configuration
To do initial configuration of Protocol Gateway, see Initial configuration of Protocol Gateway.
Configuration examples
For configuration examples in Protocol Gateway, see Configuration examples in Protocol Gateway.
Upgrade Protocol Gateway
To upgrade to a newer version of Protocol Gateway, see Upgrade Protocol Gateway.