PKI Proxy

From idenprotect Knowledge Base
Jump to: navigation, search

Introduction

This article explains how to install and configure a proxying PKI connector.

This connector will accept a request for a P12 cert and if it cannot find a certificate on its local idenprotect Core Platform it will proxy the request to a different PKI connector.

This is required if you wish to configure the UEM to use a PKI connector. For other information about the UEM configuration, please see our UEM Guide


Installation

  1. Download the .zip file https://idenprotectwiki.com/images/5/59/Pki-connector.zip
  2. Rename to a .war file
  3. Navigate to locations of Apache-Tomcat server for the PKI connector
  4. Stop tomcat
  5. Take a back up of existing .war file and remove from webapps
  6. Take a back up of existing properties file idenprotect-server.properties under WEB-INF/classes
  7. Start tomcat (existing connector should be uninstalled)
  8. Copy new .war file to webapps (new connector should be deployed) Make sure .war file has the same name as original connector
  9. If it does not deploy, check permissions on the .war file


Configuration

  1. Stop tomcat
  2. Edit idenprotect-server.properties so that the settings for the idenprotect server match the previous values
  3. Edit the following values as required

Replace https://iden-eng-001.idenprotect.net/pki-connector with the hostname of the other PKI connector and if using basic authentication set the username and password values as required

pki.server.url=https://iden-eng-001.idenprotect.net/pki-connector/pki?operation=getUserKeyPair
pki.server.username=goodCaAdmin
pki.server.password=g00d-c4.4dm1n


Certificate Based Authentication

If the other PKI connector uses Certificate-Based Authentication then you need to configure the Apache-Tomcat server accordingly. This means creating a Keystore with the required keys to support the authentication. To do this you must set the following -Djavax.net.ssl.keyStoreType=eg PKCS12 -Djavax.net.ssl.keyStore=<path to Keystore that holds keypair> -Djavax.net.ssl.keyStorePassword=<keystore password> -Djavax.net.ssl.trustStore=<path to Trustore that hold associated certificate> -Djavax.net.ssl.trustStorePassword=<truststore password> -Djavax.net.ssl.trustStoreType= eg JKS

These settings can be made by adding them to the catalina.sh file under the tomcat folder /bin

For example

JAVA_OPTS="$JAVA_OPTS" -Djavax.net.ssl.keyStoreType=P12 -Djavax.net.ssl.keyStore=/etc/keystore.p12  etc