Skip to main content
Skip table of contents

Configure Certificate Manager Web UI

All changes, including the sub-sections below, are configured in the cm-gateway/conf/auth.properties configuration file.

You must configure Protocol Gateway for external authentication against Hermod to use CM Web UI. 

Before you start, the following components must be installed:


Configure Protocol Gateway for external authentication against Hermod

Set the start flag to "true" in cm-gateway/conf/auth.properties.

CODE
start = true
Configure the Hermod integration
  1. Follow the Hermod API integration instructions to set up an integration with Protocol Gateway and specify the callback URL to the Protocol Gateway server: https://<hostname>:<port>/pgwy/auth/. Hermod also requires that the server certificate for the Protocol Gateway on this hostname is trusted. For more information, see Add API user and callback URL in Hermod.
  2. Enter the API key from Hermod in the auth.properties file in Protocol Gateway and set the Hermod API URL.

    This specifies where the Hermod API can be reached and depends on the installation.

    CODE
    default.authservice.apiurl = https://<hostname>:<port>/
  3. Set the Hermod API key. This key is produced when configuring Hermod for API integration. For more information, see Install Hermod.

    CODE
    default.authservice.apikey = <base64-encoded secret key>
Configure session sharing between multiple instances of Protocol Gateway

Protocol Gateway automatically detects other instances on the same network using multicast. The multicast group and/or port can be configured if needed and the automatic instance detection can be replaced by (or combined with) a static list of known instance addresses.

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

At its minimum, the session sharing mechanism will have to have SSL configured, to ensure secure communication.

Do the following:

  1. Set the connection SSL truststore. Do one of the following:

    • Configure the SSL connection with a 'keyfile' using a certificate and key in a PKCS#12 file. 

    • Configure the SSL connection with a subject and by connecting to a HSM with: default.cacheservice.ssl.certificate.subject 

      CODE
      default.cacheservice.ssl.keyfile = vro.p12
  2. Set the SSL keyfile password.

    CODE
    default.cacheservice.ssl.password = 1234
  3. Optional: Disable TCP multicast. This can be useful if using static member list. See default.cacheservice.members.

    CODE
    default.cacheservice.multicast = false

     

  4. Optional: Configure TCP multicast port and group. This can be useful if there are several instances of Protocol Gateway on the same network.

    CODE
    default.cacheservice.multicastgroup = 224.2.2.3
    default.cacheservice.multicastport = 54327

     

  5. Optional: Configure a static list of PGW member nodes. This is an alternative to multicast node discovery when the address and port of the member nodes are known before hand.

    CODE
    default.cacheservice.members = localhost:1234,localhost:4321

     

Alternative configuration: Disabled session sharing

You can disable the sharing functionality if only one instance of Protocol Gateway is hosted.

  • Configure the cacheservice as a local cache and remove all other cacheservice related configurations.

    CODE
    default.cacheservice.factory = com.nexussafe.cm.pgwy.auth.cache.local.LocalCacheServiceFactory
Alternative configuration: SSL with PKCS#11

You can configure the sharing of session data to be protected using a SSL encryption certificate in HSM via PKCS#11

  • Configure the cacheservice to fetch the SSL encryption certificate from the HSM.

    CODE
    default.cacheservice.ssl.certificate.subject = Protocol Gateway VRO
  • Configure the cacheservice pin to access the token.

    CODE
    default.cacheservice.ssl.password = 1234
  • Configure the cacheservice to specify which PKCS#11 library to use when searching for the SSL encryption certificate and key.

    CODE
    default.cacheservice.ssl.pkcs11 = {ProgramFiles}/Personal/Bin/personal.[dll|so]


Configure download of Personal Desktop Client

To enable access to CM Web UI, the user must have Personal Desktop Client installed. As an administrator, you can configure CM Web UI to deliver the installation files for Personal Desktop Client to be downloaded on the sign in page. Do the following:

  1. Go to https://downloads.nexusgroup.com/ and download Personal Desktop Client.
  2. On the Tomcat instance that runs the web UI, navigate to: <tomcat-home>/webapps/webui/files
  3. In the directory, place the installation media for Personal Desktop Client using the following names:
    • Windows: windows.zip
    • Linux: ubuntu-20_22.zip
    • MacOS: macosx.zip

The user can now download Personal Desktop Client by clicking the hyperlink Download Personal Desktop Client on the sign in page. 


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.