Skip to main content
Skip table of contents

SCEP NDES Setup

SCEP NDES Configuration Overview

Configuration of SCEP NDES does not require many steps. Utilize the default SCEP NDES handlers that are delivered with the product. There are two handlers required for SCEP NDES to work. The challenge handler and the request handler. The default challenge handler is handler.3 and the default request handler is handler.4.

The dynamic password generated by sending an authorized request to the challenge url is globally available. As such there is only one challenge handler required, unless there is a requirement that each administrator has unique credentials.

For each NDES request token procedure you must create an always open wildcard registration using the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password. This wildcard registration is required to perform the initial match before the dynamic password is verified.

Configure SCEP NDES

Prerequisites

SCEP NDES utilizes the CF Production Order services to handle the dynamically created registrations. This requires that the parameter CardProductionManager.start is set to true in cm.conf.

Procedure policy objects
  1. Launch the Nexus Administrators Workbench client (AWB). 
  2. Create a new certificate procedure using the AWB. The certificate format must be scepndesdynamicenroll. 
  3. Create a new token procedure using the AWB. It should reference the created certificate procedure, have storage profile pkcs10 and the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password.
Wildcard order
  1. Launch the Nexus Registration Authority client (RA).
  2. Navigate to the order tab and select the token procedure created previously. Create a new registration with the following values:

    FQDN: *
    Validity time (days): always
    State: Open

Handler configuration in scep.properties

The remaining task is to configure the two handlers for SCEP NDES. The request handler must have the previously created token procedure as its configured handler.x.tokenprocedure. A list of all available parameters can be found in the next section. 

Parameters

NDES Challenge handler

NDES challenge filter. The request url to match this handler.

CODE 
handler.3.filter = ndeschallenge/

NDES challenge format. Must be set to scep-ndes.

CODE 
handler.3.format = scep-ndes

NDES admin username. Change the default admin username to your desired username.

CODE 
handler.3.ndesUsername = ndesadmin

NDES admin password. Change the default admin password to your desired password. Remember to scramble the password.

CODE 
handler.3.ndesPassword = ndespassword

NDES challenge validity. Defines the duration time of the validity of the dynamically created challenge password. Expects ISO-8601 duration format. Default validity is 15 minutes (PT15M).

CODE 
handler.3.ndesChallengeValidity = PT15M

NDES challenge encoding. Defines the encoding of the challenge webpage. Default is UTF-8 and is supported by the majority of users.

CODE 
handler.3.ndesChallengeEncoding = UTF-8


NDES Request handler

NDES request filter. The request url to match this handler.

CODE 
handler.4.filter = ndesrequest

NDES request format. Must be set to scep.

CODE 
handler.4.format = scep

NDES request token procedure.

CODE 
handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close