Configuration of the authentication profile in Smart ID Admin is the same as for certificate-based login in Identity Manager deployed on Tomcat as WAR file. See Set up certificate-based login to Identity Manager (War file) for more information.
The setup of Smart ID Identity Manager on docker requires some special configuration deferring from WAR file deployment on Tomcat.
The setup described below terminates TLS connections in the Tomcat server of each Identity Manager container.
This differs from having a reverse proxy terminate all TLS connections for Identity Manager, where a different setup is required.
Prerequisites
-
Server certificate (keystore .p12 file)
-
User certificates (.cer files)
-
Identity Manager deployment file (.tgz file), unpacked into <smartid> home folder
For details about how to deploy Identity Manager on docker, see https://doc.nexusgroup.com/pub/deploy-smart-id.
Configuring files for Docker compose
In order to configure the docker installation for certificate-based login, follow the steps below.
Keystore and certificate installation
-
Add the server certificate or keystore (.p12) to smartid/docker/compose/certs.
-
Set up user-trust certificate(s).
-
Choose suitable certificates:
-
No intermediate CAs exists:
-
root CA certificate
-
-
Any intermediate CA exists and client supplies the chain:
-
root CA certificate
-
-
Any intermediate CA exists but client lacks the chain (e.g. smartcards where we do not support CA certificate storage):
-
issuing CA certificate
-
-
Self-signed user certificate:
-
user certificate
-
-
-
Choose a storage location for those certificates:
Recommended:-
provide a truststore (.p12) containing any user-trust certificates in smartid/docker/compose/certs/userTrustStore.p12 .
-
Alternative (potentially less secure, as it lumps in self-signed user certificates with CAs globally trusted by the JVM):Add the user-trust certificate(s) (.cer files) in smartid/docker/compose/cacerts
-
-
Configure Tomcat for Smart ID Admin, Operator and Self-Service
The Identity Manager docker containers run an internal Tomcat for Smart ID Admin, Operator, Tenant and Self-Service applications. Smart ID Tenant does not support certificate-based login.
In this step we need to configure port 8444 for the Tomcats.
First you need to add the following connector configuration to the Tomcat configurations at
-
Admin and Operator: smartid/docker/compose/identitymanager/config/tomcat-server.xml
-
Self-Service: smartid/docker/compose/selfservice/config/tomcat-server.xml
-
Tenant: no certificate-based login supported
Port 8444 configuration example (your settings may differ)
<Connector
port="8444"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxPostSize="-1"
scheme="https"
secure="true"
sslProtocol="TLS"
clientAuth="want"
keystoreFile="/certs/primeServerCert2021.p12"
maxHttpHeaderSize="65536"
keystorePass="1234"
keystoreType="PKCS12"
<!-- use the section below only if you did provide a user trust-store file -->
truststoreFile="/certs/userTrustStore.p12"
truststorePass="1234"
truststoreType="PKCS12"
<!-- use the section above only if you did provide a user trust-store file -->
SSLEngine="On"
SSLVerifyDepth="3"
SSLVerifyClient="optional" />
Smart ID Admin and Operator: Configure the port 8444 in docker compose files
Configure the port of the applications in the docker-compose.yaml files.
-
Admin: smartid/docker/compose/identitymanager/admin/docker-compose.yml
-
Operator: smartid/docker/compose/identitymanager/operator/docker-compose.yml
-
Self-Service: smartid/docker/compose/selfservice/docker-compose.yml
-
Tenant: no certificate-based login supported
The following ports for example can be assigned to the applications.
|
Application |
Port listening to 8080 (default setting) |
Secured port listening to 8444 |
|
Operator |
7071 |
7171 |
|
SelfService |
7072 |
7172 |
|
Admin |
7073 |
7173 |
Open, for example, the Operator's docker-compose file smartid/docker/compose/identitymanager/operator/docker-compose.yml.
In environment block, you will find the list of "SYSTEM_PROPERTIES". Add to the list, the login.certificateLoginPort property pointing to port 7171.
Do not forget to put the comma after the previously last item in the list.
Operator system properties in docker-compose.yml
- 'SYSTEM_PROPERTIES={
"caasCommunicationService.clientId": "${IDM_CAAS_CLIENT_ID}",
"caasCommunicationService.clientSecret": "${IDM_CAAS_CLIENT_SECRET}",
"caasCommunicationService.organisationId": "${IDM_CAAS_ORGANISATION_ID}",
"caasCommunicationService.hostname": "${IDM_CAAS_HOSTNAME}",
"MLTextTranslationProvider.defaultLanguage": "en",
"multilanguageHelper.localeString": "de,en,fr,sv",
"uploadPopup.enableUploadButtonStrategyName": "enableUploadButtonStrategyStrict",
"zipPacker.signZip": true,
"zipUnpacker.verifyZip": true,
"historyVerificationTrigger.cronExpression": "0 30 0 * * ?",
"activitiHistoryCleaner.daysAfterEndTime": 30,
"activitiHistoryCleaner.daysOfInactivity": 180,
"activitiHistoryCleanerJobTrigger.cronExpression": "0 0 23 ? * FRI *", # Add a comma here
# Add this to the list:
"login.certificateLoginPort" : 7171
}'
In the ports block, we need to introduce a new port 7171, which listens to 8444.
Operator port in docker-compose.yml
ports:
- "${IDM_OPERATOR_PORT}:8080"
- 7171:8444
Smart ID Self-Service: Configure the port 8444 in docker compose file
Open the Self-Service docker-compose file at smartid/docker/compose/selfservice/docker-compose.yml.
In environment block, you will find the list of "CONFIG_JSON". Add to the clientCert property as shown below.
Do not forget to put the comma after the previously last item in the list.
Self-Service config in docker-compose.yml
- 'CONFIG_JSON={
"languages": {
"supportedLanguages": [ "en" ],
"defaultLanguage": "en"
}, # Add a comma here
# Add this to the list:
"clientCert": {
"enabled": true,
"httpsPort": "7172"
}
}'
In the ports block, we need to introduce a new port 7172, which listens to 8444.
Self-Service port in docker-compose.yml
ports:
- "${SELFSERVICE_PORT}:8080"
- 7172:8444