Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

This article describes how to install the Protocol Gateway component in Smart ID Certificate Manager

Expand/Collapse All

Prerequisites

 Prerequisites

The following prerequisites apply:

Step-by-step instruction

 Install CM clients with Protocol Gateway option

If the Protocol Gateway client is not already installed:

  1. Follow the steps in either of these instructions and make sure to check Protocol Gateway in the list of clients, as well as Administrator's workbench (AWB) and Registration Authority (RA) that are needed to set up CA and policy objects:
    1. Install Certificate Manager clients on Windows
    2. Install Certificate Manager clients on Linux
 Copy Protocol Gateway .war file

To copy the Protocol Gateway .war file:

  1. Go to the CM installation folder, for example \CM\clients\web\pgwy\

  2. Copy the file pgwy.war file to the Tomcat webapps folder, for example \Tomcat\webapps
  3. Start Tomcat. After the startup is complete, just stop it again. 
    When Protocol Gateway is started the first time, the \conf folder and initial configuration files will be created, for example C:\ProgramData\Nexus\cm-gateway\conf\. Error messages can be ignored at this point.
 Configure Tomcat service

To configure Tomcat: 

  1. On Windows
    1. Run the Tomcat9w.exe application.
      Tomcat9w is a GUI application for monitoring and configuring Apache Tomcat services. For more information, see http://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html.
    2. Go to the Logging tab, and set Log path to C:\ProgramData\Nexus\cmgateway\logs..

    3. Go to the Java tab, and set the following properties: 

      Example: Java options
      -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
      -Djava.util.logging.config.file=C:\ProgramData\Nexus\cm-gateway\conf\logging.properties
      -Dnexus.var=C:\ProgramData\Nexus\cm-gateway
  2. On Linux

    1. Open the script file setenv.sh in the Apache Tomcat bin folder for editing. 

    2. Set the following options in CATALINA_OPTS as a string separated by spaces.

      Example: Set options in setenv.sh
      CATALINA_OPTS="-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
          -Djava.util.logging.config.file=/var/cm-gateway/conf/logging.properties \
          -Dnexus.var=/var/cm-gateway"

      Configuring Protocol Gateway as a service on Linux depends on the distribution used and is not covered here.

  3. Do not restart Tomcat yet. 
    Restarting Tomcat would lead to an error message, since Protocol Gateway is not yet configured.  

 Secure Tomcat service - some recommendations

Securing the Apache Tomcat Service is outside the scope of the Protocol Gateway application.

However, here are some recommended steps to secure the Tomcat service: 

  1. Open the file  <CATALINA_BASE>\conf\server.xml for editing, where <CATALINA_BASE> is the Tomcat installation path.  

  2. In the Connector section, do the following updates: 

    1. Set protocols to include only TLSv1.3 and TLSv1.2 (and thereby disable TLSv1.1 and TLSv1.0). 

    2. Force the clients to respect the server's cipher order, by setting honorCipherOrder to true
    3. Only enable strong ciphers, by setting the ciphers variable.
Example: server.xml Connector configuration
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig
honorCipherOrder="true"
ciphers="HIGH:!3DES:!DES:!SHA1:!SHA256:!SHA384:!SEED"
protocols="TLSv1.3,TLSv1.2">
<Certificate
certificateKeystoreFile="conf/localhost-rsa.p12"
certificateKeystorePassword="1234"
certificateKeystoreType="PKCS12"
type="RSA" />
</SSLHostConfig>
</Connector>

Initial configuration

To do initial configuration of Protocol Gateway, see Initial configuration of Protocol Gateway.

Upgrade Protocol Gatewy

To upgrade to a newer version of Protocol Gateway, see Upgrade Protocol Gateway.