This article is valid for Certificate Manager 8.5 and later.
CM Web Services (CM WS) is a web service interface used for certificate management in Smart ID Certificate Manager (CM). CM WS has the functionality to enroll, revoke, search and fetch certificates. CM WS uses a virtual registration officer for TLS communication and certificate request authorization to the CM server.
The CM Web Services provides the functionality of the CM SDK as an XML/SOAP based web service.
The configuration examples in this document assumes that Apache Tomcat is used as Java servlet container.
Prerequisites
- At least one officer is required for TLS communication and signing.
- This information is needed for the vRealize Orchestrator (vRO)*:
- Filename of the p12 file containing the vRO.
- If the vRO is stored on a smart card or an HSM:
- the Common Name of the vRO is required
- Personal Desktop Client or the PKCS11 driver of the HSM must be installed
- The CA certificate of the CM server TLS certificate is needed to create the trust store on the servlet machine.
- Create the appropriate certificate- and token procedures in CM see Administration tasks in Certificate Manager.
*The vRO signs the certificate requests from CM WS to CM and sets up the TLS connection.
Configuration tasks
- Install Java.
- Make sure that the policy files for strong encryption (US_export_policy.jar and local_policy.jar) are installed under the jre used by Tomcat, in the lib/security folder.
- Install the web server (Apache Tomcat) and set
JAVA_HOME
. - If the vRO is stored on a smart card, install Personal Desktop Client (if not already installed with CM-SDK).
- Install the war file:
- Copy the file cmws.war, located in <client_root>/web/cmws to the webapps folder of Tomcat.
- Start Tomcat and the war file will create the folder cmws.
- Next step: Configure the files cmws.properties and cmsdk.properties, located in cmws/WEB-INF/config.
Configure cmws.properties
In the file cmws.properties on the web server, do the following settings:
- Set the token procedure to the appropriate token procedure in CM. You can also chose this procedure by sending the name of the procedure, included as a string-argument, in the enrollment request.
- To configure the vRO for TLS communication, set the filename of the vRO p12 file in
OfficerFile
or the Common Name of the vRO in OfficerAttributes
. - Point out the file pin.crt to be used when encrypting pins before sending them to CM.
- Set the hostname of the CM server.
- Configure parameters for error logging.
Configure cmsdk.properties
In the file cmsdk.properties on the web server, do the following settings:
- Set the parameter
ssl.rootfilename
to contain the path of the trust store folder that contains the trusted CA certificates. A CA certificate can be copied to a file in the AWB. - If these optional values shall be used, add them to the cmsdk.properties file:
cm.ssl.proxyport
, the TLS proxy port (optional)cm.ssl.proxyuser
, the TLS proxy user (optional)cm.ssl.proxypassword
, the TLS proxy password (optional)cm.ssl.servernameindication
, the host name of the CM server to contact in cases where the host of the CM server also hosts other TLS servers on the same IP and TLS port. It may also apply if the CM SDK application (CMWS) must connect to the CM server via a proxy or a load balancer (optional).
Configure cm.conf
If revocation password is to be used when revoking a certificate, then this has to be configured in the file cm.conf under section Custom certificate attributes. This is an example of how it might be configured:
CODE
certsearch.customattributes=field2
certsearch.customattribute.field2="Revocation password",revocationpassword