The Hermod is a web-based service for online authentication and signing using Nexus Personal Mobile or Nexus Personal Desktop with smartcards. The introduction of the Hermod messaging server enables certificates for Personal Mobile profiles to increase the security.

This article describes how to connect the Hermod messaging server to Hybrid Access Gateway and how to make initial settings.


Prerequisites

  • Installed Hermod messaging server
  • Data migrated from Hybrid Access Gateway to Hermod

Step-by-step instructions

  1. Log in to the Hybrid Access Gateway administration interface with your admin user.


  1. In the Hybrid Access Gateway administration interface, go to Manage system > Policy Services.
  2. Select a policy service to edit it.
  3. Check Enable Provisioning.
  4. Enter provisioning settings for use by Personal Mobile, that will apply to all policy services.

    1. Hermod relay URL: Set to https://<access-point-public-host>/https/api/rest/v3.0/relay/hermod by default.

      https://hermod1.nexusgroup.local/https/api/rest/v3.0/relay/hermod


    2. Hermod URL: Set to https://<hermod-public-host>/hermod/rest/command/ by default.

      https://nexus-cod1.nexusgroup.local:20400/command/


    3. Image API URL: Set to https://<distribution-service-public-host>/image/v1/rest/image by default.

      https://hermod1.nexusgroup.local:9443/image/v1/rest/image

      Click the ?-sign for more information and help.

      Field Name

      Description

      Hermod relay URL

      The URL to the Policy Service REST Relay API, which is used for relaying requests to the Hermod server. This must be configured together with the actual callback URL in Hermod, which the Policy Service REST Hermod API uses for processing these callback requests from Hermod. Both of these URLs must be on publicly accessible paths on the "api" web resource (already configured by default). Configure Hermod as follows:

      application.hermod.allowedClients.callbackUrl: https://<access-point-public-host>https/api/rest/v3.0/hermod

      Set to https://<access-point-public-host>/https/api/rest/v3.0/relay/hermod by default.

      Hermod URL

      The URL to the Hermod REST Command API, which is used for provisioning, authentication and signing. This must be a public URL. The following configuration assumes that Hermod is set up as a web resource and given a Reserved DNS Mapping, with these publicly accessible paths:

      • hermod/rest/command/
      • hermod/rest/ms

      The default URL's path component assumes the following Hermod configuration:

      • server.contextPath: /hermod
      • application.hermod.rest.uribase: /rest
      • application.hermod.messageServerLibrary.publicUrl: https://<hermod-public-host>/hermod/rest/ms
      • application.hermod.cors.pathPatterns: '/rest/ms,/rest/ms/**'

      Set to https://<hermod-public-host>/hermod/rest/command/ by default.

      Image API URL

      The URL to the Distribution Service REST Image API, which is used for fetching images to be displayed during authentication when using Personal Mobile. This must be a public URL. The default path assumes that Hermod is set up as a web resource and given a Reserved DNS Mapping, with this publicly accessible path:

      • image/v1/rest/image

      Set to https://<distribution-service-public-host>/image/v1/rest/image by default.

      This is an overview of what needs to be configured and how the communication flows between Hybrid Access Gateway and Hermod messaging server:


  1. To upload the corresponding Certificate Authority (CA) for Hermod in Hybrid Access Gateway, see "Add Certificate Authority" in 5.11 - Add certificates.


  1. In the Hybrid Access Gateway administration interface, go to Manage Resource Access > Web Resources.
  2. As Registered web resource, select api.
  3. Click Edit Resource Host...
  4. Go to the Link Translation tab.
  5. In the Request Content Types field, add application/json.

For more information, go to Web resources.



This step is needed only when migrating old profiles from Hybrid Access Gateway to Hermod.

All the polling requests, which were coming to Distribution Service, must be redirected to the Hermod messaging server in order to delegate the responsibilities. For example, if the distribution service port was set to 9443 all traffic on port 9443 needs to be redirected to Hermod. This is done by the IT department and can be done using DNS redirect.



This step is needed only when migrating old profiles from Hybrid Access Gateway to Hermod.

  1. In the Hybrid Access Gateway administration interface, go to Manage System > Distribution Services.
  2. Click Manage Global Distribution Service Settings...
  3. Change External Port and click Save.
  4. Go to Manage System > Distribution Services.
  5. Select a registered Distribution Service.
  6. Change port for Token Distribution and Image API.
  7. Check Enable Image API.
  8. Click Save.


This article is valid from Hybrid Access Gateway version 5.12

Related information