Integrate Identity Manager with QuoVadis connector
This article is valid for Smart ID 21.04 and later.
This article describes how to connect to the QuoVadis certificate authority from Smart ID Identity Manager. For the supported certificate authorities, see IDM 23.10.3 - Requirements and interoperability.
The following files and details are required:
- QuoVadis account name
- Endpoint URL of the QuoVadis CA service
- QuoVadis CA server certificate (Open the CA endpoint URL in the browser and export the certificate from there)
- CA client PKCS#12 file + signing password
- Policy template IDs used by your QuoVadis organisation(s)
If you want to use a HTTP proxy server such as Squid for the QuoVadis connector you need these as well:
- hostname or IP of the proxy
- port of the proxy
Proxy authentication is not yet supported.
If you plan to use certificate archival and recovery, the following is also required:
- A configured Smart ID Certificate Manager (CM) and CM connector for key archival and recovery
- Identity Manager CA config name (of the configured CM connector)
- Name of CM recovery token procedure
- The CM must have key archival token procedures with key generation matching the key type and size (for example, RSA 4096 bit) of the respective QuoVadis policy templates
The CM must have an import CA with configured P10 import token procedure for import of QuoVadis certificates, which is set in the CM connector config nexus_cm.properties file via
caTokenProcedureImportCert=NameOfTheImportProcedure
- This import CA must have a dummy self-signed key pair and have the same subject DN as the QuoVadis intermediate CA (for example, "
CN=QuoVadis No Reliance ICA G3
,O=QuoVadis Limited
,C=BM
)" If there are multiple different issuers (different policy templates may user different issuers) you need the following per issuer:
an import CA configuration in CM
a CM connector configuration specifying the import token procedure
a QuoVadis connector configuration referencing the CM configuration as key archive
Finally, if you want the certificate chain to be returned with non-recovery requests, you need this:
- QuoVadis CA certificate(s) (intermediate(s) and root), if you want the connector to return a full certificate chain (the QV SOAP API itself does not support this)
For recovery requests the certificate chain is configured in Nexus Certificate Manager, see Use Certificate Manager for key archival and recovery for external CA.
Step-by-step instruction
Make sure you have the following:
- Account: the configured organization of your QuoVadis account you want to use, for example, "My Company"
- Trust store path: truststore file or certificate file of your QuoVadis endpoint, for exampel: "quovadisglobalcom.crt"
- p12 path: the client certificate which is used to authenticate your Identity Manager installation against QuoVadis, for example: QV_Webservices_MyCompany.p12 (the password has to be configured in the Designer CA configuration in the signing password field)
- CA host, for example: https://tlclientdev.quovadisglobal.com/ws/CertificateServices.asmx
- Certificate archival and recovery: configured CM connector for key archival and recovery (see prequisites above):
- This is an example configuration:
Name of the CM connector config: for example, InternalCMConnector
- Name of the CM recovery token procedure: for example, QuoVadisRecovery
- Mapping of the QuoVadis template policy ID for encryption cert templates to the respective CM token procedure (for key archival), for example,:
- 1769 => QvEncryption
- 1753 => QvEncryption
1811 => QvSmime
- optional - for chain support in IDM 21.04 and later: the QuoVadis CA certificates in individual files (e.g. qvroot.crt, qvintermediate.crt)
- optional - for proxy support in IDM 21.04 or later: the hostname/IP and port of the proxy
Create a file called quovadis.properties with the following properties (here using the example values from above):
Example
CODEaccount=My Company trustStorePath=quovadisglobalcom.crt p12Path=QV_Webservices_MyCompany.p12 keyArchive=InternalCMConnector policyTemplateIdToArchivalTemplateMapping=1769=QvEncryption;1753=QvEncryption;1811=QvSmime recoveryTemplate=QuoVadisRecovery # optional proxy config below proxyHost=proxy.mycompany.com proxyPort=3128
Create a zip file containing the following files in its root folder:
- the certificate configured with trustStorePath: for example, quovadisglobalcom.crt
- the client certificate as configured with p12Path: for example, QV_Webservice_MyCompany.p12
quovadis.properties
- optional - a folder called chainCerts containing the QuoVadis CA cerficiates (here: qvroot.crt, qvintermediate.crt)
To configure the QuoVadis connector into Identity Manager Admin:
- Log in to Identity Manager Admin.
- Go to Home > Certification Authorities (CA) and click New.
Enter Name of the QuoVadis connector. Click Save+Edit.
- Select Connection type QuoVadis.
Click Upload and upload the zip file created under "Preparations" above.
Set the CA host URL, as mentioned under "Preparations" above.
Set the Signing password to the password of the p12 file, configured with p12path.
- Click Save to save the configuration and go to the Details tab.
- Click Search on the right hand side. All QuoVadis CA certificate types are fetched and all configurable certificate types are shown. Click Apply.
- Click Testing. All connections should be green.
- Click Save.
Identity Manager certificate templates used with the QuoVadis connector must have certain additional attributes set:
Follow these instructions to add this values in a certificate configuration:
- In Identity Manager Admin, go to Home > Certificates.
- Scroll to the bottom of the attributes list on the right.
- Fill out three of the four QuoVadis attrributes as required (depending on the type: SSL or user cert):
For server SSL certs:
- CERT_API_TYPE: "SSL"
- ORGANISATION: QuoVadis organisation name - as configured in the QuoVadis administration account
- SUBSCRIBER_EMAIL: QuoVadis subscriber email address - assigning the responsible person's email address for this SSL certificate, e.g. from a process variable
For user certs:
- CERT_API_TYPE: "user"
- ORGANISATION: QuoVadis organisation name - as configured in the QuoVadis administration account
- ADMINISTRATOR_EMAIL: QuoVadis administrator email address - set here the email address of a valid QuoVadis administrator(from your QuoVadis account)
The following certificate states for revocation requests are supported:
Identity Manager cert status (case-insensitive) | Status type | RFC-5280 reason for QuoVadis API |
---|---|---|
inactive | Identity Manager only | keyCompromise * |
locked | Identity Manager only | keyCompromise * |
keyCompromise | RFC-5280 | keyCompromise |
affiliationChanged | RFC-5280 | affiliationChanged |
superseded | RFC-5280 | superseded |
cessationOfOperation | RFC-5280 | cessationOfOperation |
As QuoVadis does not support temporary revocation, there are no mappings for Identity Manager cert states active / valid and temporary.inactive.
Any status not listed here (case insensitively) will lead to an error.
*You can optionally configure a different, supported RFC-5280 revocation reason which inactive and locked shall be mapped to in system.properties, for example, like this:
Example
quoVadisServiceFactory.rfc5280ReasonForInactiveAndLocked=superseded
These are the limitations:
- Plain requests without key archival are not supported.
- Non-SAN extensions (for example, key usage) must be configured in the QuoVadis certificate policy templates.
- QuoVadis does not support all possible DN/SAN attributes. Please check the certificate policy templates in the QuoVadis administration or contact the QuoVadis support if necessary.
- QuoVadis certificate policy templates must be configured to allow certificate retrieval via the SOAP API - this needs to be enabled by the QuoVadis support. We do not support use-cases that require user interaction through the web portal.
- Temporary revocation (via state temporary.inactive / certificateHold) is unsupported (QuoVadis limitation)
- Overriding certificate validity (via VALIDITY attribute) is unsupported.
- There are no generic requests.
- ECC is not yet supported.