SCEP NDES Configuration Overview
Configuration of SCEP NDES does not require many steps. Utilize the default SCEP NDES handlers that are delivered with the product. There are two handlers required for SCEP NDES to work. The challenge handler and the request handler. The default challenge handler is handler.3 and the default request handler is handler.4.
The dynamic password generated by sending an authorized request to the challenge url is globally available. As such there is only one challenge handler required, unless there is a requirement that each administrator has unique credentials.
For each NDES request token procedure you must create an always open wildcard registration using the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password. This wildcard registration is required to perform the initial match before the dynamic password is verified.
Configure SCEP NDES
SCEP NDES utilizes the CF Production Order services to handle the dynamically created registrations. This requires that the parameter CardProductionManager.start is set to true in cm.conf.
- Launch the Nexus Administrators Workbench client (AWB).
- Create a new certificate procedure using the AWB. The certificate format must be scepndesdynamicenroll.
- Create a new token procedure using the AWB. It should reference the created certificate procedure, have storage profile pkcs10 and the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password.
- Launch the Nexus Registration Authority client (RA).
- Navigate to the order tab and select the token procedure created previously. Create a new registration with the following values:
Validity time (days): always
The remaining task is to configure the two handlers for SCEP NDES. The request handler must have the previously created token procedure as its configured handler.x.tokenprocedure. A list of all available parameters can be found in the next section.
NDES challenge filter. The request url to match this handler.
handler.3.filter = ndeschallenge/
NDES challenge format. Must be set to scep-ndes.
handler.3.format = scep-ndes
NDES admin username. Change the default admin username to your desired username.
handler.3.ndesUsername = ndesadmin
NDES admin password. Change the default admin password to your desired password. Remember to scramble the password.
handler.3.ndesPassword = ndespassword
NDES challenge validity. Defines the duration time of the validity of the dynamically created challenge password. Expects ISO-8601 duration format. Default validity is 15 minutes (PT15M).
handler.3.ndesChallengeValidity = PT15M
NDES challenge encoding. Defines the encoding of the challenge webpage. Default is UTF-8 and is supported by the majority of users.
handler.3.ndesChallengeEncoding = UTF-8
NDES request filter. The request url to match this handler.
handler.4.filter = ndesrequest
NDES request format. Must be set to scep.
handler.4.format = scep
NDES request token procedure.
handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge