Integrate Smart ID Messaging with other Smart ID components

This article describes how to integrate Smart ID Messaging with other Smart ID components (Identity Manager or Digital Access).

Each client (Identity Manager, Digital Access etc) that connects to the messaging service must be added to the configuration file and set up with an api key.

From Smart ID Messaging component Hermod version 3.5.0, swagger is enabled by default. See heading “If needed, edit Hermod configuration” in Install Hermod for an example.

The Smart ID component (Identity Manager or Digital Access) connects to Smart ID Messaging with the API key for the specific client, and initiates a command.
The command is then processed by a device and a response is sent back to the public-url as configured in Smart ID Messaging.
When the command has been processed by the device or when it has expired, the returned response is validated by Smart ID Messaging and a callback is sent to the configured callback-url for the originating client-id.

Prerequisites

Smart ID is installed, see Deploy Smart ID.

Step-by-step instruction

Configure clients

Start the messaging service

Go to the application folder, for example <SMARTIDHOME>/docker/compose/messaging.
Run this command:
...
docker-compose start

Generate a template for a client section

Note: If Smart ID Messaging is going to be used both for Identity Manager and Digital Access, the group must be the same for Identity Manager and Digital Access.

Generate an Identity Manager (IDM) client

Open a browser and go to the following URL to generate an 'idm' client:
Example: Generate 'idm' client URL
http://<MESSAGING-HOST>:20400/util/generateclient/idm

Copy the content from the resulting web page and paste it into the allowed-clients section of the messaging service configuration file. Then modify it according to your system setup. This enables, for example, that an issued Mobile ID or Smart Card issued in Identity Manager, can be used in Digital Access.

Example of a configured 'idm' client

CODE

# X-Api-Key: aWRtOjQ0NjAyMDEzNGVlODQyMmRiNTc2OWZiZWY5MTA0YTQxNTc3Mjg2MTAyMzZkNGRkMWE0YjM3ZjkzNWRhYjQxMGE=
- client-id: idm
  key: 446020134ee8422db5769fbef9104a4157728610236d4dd1a4b37f935dab410a
  group: smartid 
  # Callback Basic Auth is Required for Identity Manager callback.
  callback-basic-auth: username:password
  # The callback URL base for Identity Manager
  callback-url: https://<IDM-HOST>/ws/hermod

If you are deploying Identity Manager with war files, the callback url is
https://<IDM-HOST>/prime_explorer/ws/hermod

Generate a Digital Access (DA) client

Open a browser and go to the following URL to generate a 'da' client:
Example: Generate 'da' client URL
http://<MESSAGING-HOST>:20400/util/generateclient/da

Copy the content from the resulting web page and paste it into the allowed-clients section of the messaging service configuration file. Then modify it according to your system setup.

Example of a configured 'da' client

CODE

# X-Api-Key: ZGE6YjIwZjBmZDkwYThiNDhjNWFhOWI2OTRiOGU3ZGQxMWUyMDA0MDI5NWFmYjY0NmVhYmRjODk4MDFiNjVkZGUzNg==
- client-id: da
  key: b20f0fd90a8b48c5aa9b694b8e7dd11e20040295afb646eabdc89801b65dde36
  group: smartid 
  # The callback URL base for Digital Access.
  callback-url: https://<DA-HOST>/https/api/rest/v3.0/personalmessaging

Placement of certificates used for the callback connection

Place any certificates used for the callback connection in the cacerts/ folder, in base64 format (PEM) with the .cer file extension.

When the messaging service start, you will see logs like
INFO: Adding certificate xxx.cer using alias xxx
printed before the big "Hermod" ASCII art, see this example:

CODE

...
INFO: Adding certificate xxx.cer using alias xxx
...

██╗  ██╗███████╗██████╗ ███╗   ███╗ ██████╗ ██████╗ 
██║  ██║██╔════╝██╔══██╗████╗ ████║██╔═══██╗██╔══██╗
███████║█████╗  ██████╔╝██╔████╔██║██║   ██║██║  ██║
██╔══██║██╔══╝  ██╔══██╗██║╚██╔╝██║██║   ██║██║  ██║
██║  ██║███████╗██║  ██║██║ ╚═╝ ██║╚██████╔╝██████╔╝
╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝ ╚═════╝ ╚═════╝ 

...
...

If you do not see any logs, there is something wrong with either the mapped directory or the certificate files themselves.
1. Make sure that the cacerts folder has right permissions (e.g. 755)
2. Make sure that you have used the correct syntax for mounting directories to the docker container in docker-compose.yml.

Configure the public base url for the messaging service

The public-url setting in hermod-conf.yml is the URL that external apps, such as Smart ID Mobile App and Smart ID Desktop App will connect to. You must be able to reach it from internet and TLS must be used to make sure that the external apps work.

Set the public-url, see this example:

Example: Set public-url

CODE

...
    # Message server library settings
    message-server-library:

      public-url: https://<MESSAGING-SERVER>/ms

Clients such as Digital Access and Identity Manager do not use the public-url. They should be configured to use "http(s)://<MESSAGING-SERVER>/command" which is the base url for endpoints that trigger various commands, such as provisioning, authenticate etc.

Configure TLS

When you use TLS for the public-url, you need to either:

terminate SSL in ingress/proxy traefik

OR

configure the server.ssl section in config/hermod-conf.yml. This is described below.

Place your certificates (p12 format) in the SmartID certs folder which is mapped to a certificates folder inside the running docker container. In the example below, the file smartidtls.p12 is used.
Enable the setting as seen below and make sure to set the correct password.

Configure SSL in hermod-conf.yml

CODE

server:
  ssl:
    enabled: true
    key-store: /home/docker/certificates/smartidtls.p12
    key-store-password: "<somepass>"
    keyStoreType: PKCS12

Initialize the database

The database for Smart ID Messaging must be initialized using files for the specific database engine and version of Smart ID Messaging.

For a new installation, do the following:

Use the files called Vx.y.z__base_version.sql matching the specific version (for example, V3.2.0__base_version.sql).

For an upgrade, do the following:

Use all files between the previous version and the new version which are not named Vx.y.z__base_version.sql (for example, V2.5.1__new_indexes.sql, V3.1.1__lifesign_table.sql etc)
You might have to edit the files to match the correct database user.