Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Hermod messaging server is  is a web-based service for online authentication and signing using Nexus Personal Mobile or Nexus Personal Desktop with smartcards. The introduction of the Hermod messaging server enables certificates for Personal Mobile profiles to increase the security.

This article describes how to connect the Hermod messaging server to Hybrid Access Gateway and how to make initial settings.

Expandall

Prerequisites

Expand
titlePrerequisites
  • Installed Hermod messaging server
  • Data migrated from Hybrid Access Gateway to Hermod

Step-by-step instructions

Expand
titleLog in to Hybrid Access Gateway administration interface
  1. Log in to the Hybrid Access Gateway administration interface with your admin user.


Expand
titleConnect Hermod messaging server to Hybrid Access Gateway
  1. In the Hybrid Access Gateway administration interface, go to Manage system > Policy Services.
  2. Select a policy service to edit it.
  3. Check Enable Provisioning.
  4. Enter provisioning settings for use by Personal Mobile, that will apply to all policy services.

    1. Hermod relay URL: Set to https://<access-point-public-host>/https/api/rest/v3.0/relay/hermod by default.

      Panel
      titleExample: Hermod relay URL

      https://hermod1.nexusgroup.local/https/api/rest/v3.0/relay/hermod


    2. Hermod URL: Set to https://<hermod-public-host>/hermod/rest/command/ by default.

      Panel
      titleExample: Hermod URL

      https://nexus-cod1.nexusgroup.local:20400/command/


    3. Image API URL: Set to https://<distribution-service-public-host>/image/v1/rest/image by default.

      Panel
      titleExample: Image API URL

      https://hermod1.nexusgroup.local:9443/image/v1/rest/image

      Click the ?-sign for more information and help.

      Field Name

      Description

      Hermod relay URL

      The URL to the Policy Service REST Relay API, which is used for relaying requests to the Hermod server. This must be configured together with the actual callback URL in Hermod, which the Policy Service REST Hermod API uses for processing these callback requests from Hermod. Both of these URLs must be on publicly accessible paths on the "api" web resource (already configured by default). Configure Hermod as follows:

      application.hermod.allowedClients.callbackUrl: https://<access-point-public-host>https/api/rest/v3.0/hermod

      Set to https://<access-point-public-host>/https/api/rest/v3.0/relay/hermod by default.

      Hermod URL

      The URL to the Hermod REST Command API, which is used for provisioning, authentication and signing. This must be a public URL. The following configuration assumes that Hermod is set up as a web resource and given a Reserved DNS Mapping, with these publicly accessible paths:

      • hermod/rest/command/
      • hermod/rest/ms

      The default URL's path component assumes the following Hermod configuration:

      • server.contextPath: /hermod
      • application.hermod.rest.uribase: /rest
      • application.hermod.messageServerLibrary.publicUrl: https://<hermod-public-host>/hermod/rest/ms
      • application.hermod.cors.pathPatterns: '/rest/ms,/rest/ms/**'

      Set to https://<hermod-public-host>/hermod/rest/command/ by default.

      Image API URL

      The URL to the Distribution Service REST Image API, which is used for fetching images to be displayed during authentication when using Personal Mobile. This must be a public URL. The default path assumes that Hermod is set up as a web resource and given a Reserved DNS Mapping, with this publicly accessible path:

      • image/v1/rest/image

      Set to https://<distribution-service-public-host>/image/v1/rest/image by default.

      This is an overview of what needs to be configured and how the communication flows between Hybrid Access Gateway and Hermod messaging server:


Expand
titleAdd CA certificate
  1. To upload the corresponding Certificate Authority (CA) for Hermod in Hybrid Access Gateway, see "Add Certificate Authority" in 5.11 - Add certificates.


Expand
titleAdd link translation
  1. In the Hybrid Access Gateway administration interface, go to Manage Resource Access > Web Resources.
  2. As Registered web resource, select api.
  3. Click Edit Resource Host...
  4. Go to the Link Translation tab.
  5. In the Request Content Types field, add application/json.

For more information, go to Web resources.


Expand
titleRedirect polling request


Note

This step is needed only when migrating old profiles from Hybrid Access Gateway to Hermod.

All the polling requests, which were coming to Distribution Service, must be redirected to the Hermod messaging server in order to delegate the responsibilities. For example, if the distribution service port was set to 9443 all traffic on port 9443 needs to be redirected to Hermod. This is done by the IT department and can be done using DNS redirect.


Expand
titleChange distribution service port


Note

This step is needed only when migrating old profiles from Hybrid Access Gateway to Hermod.

  1. In the Hybrid Access Gateway administration interface, go to Manage System > Distribution Services.
  2. Click Manage Global Distribution Service Settings...
  3. Change External Port and click Save.
  4. Go to Manage System > Distribution Services.
  5. Select a registered Distribution Service.
  6. Change port for Token Distribution and Image API.
  7. Check Enable Image API.
  8. Click Save.


This article is valid from Hybrid Access Gateway version 5.12

Related information