PKI Authentication Support in Ephesoft Transact Installer (Linux)

What’s New In Transact 4.5?

Installer | PKI Authentication Support in Ephesoft Transact Installer (Linux)

The installer of Ephesoft Transact v.4.5.0.0 has been enhanced to provide support for PIC/CAC certificates import. Now, you can select the PKI authentication type and import your PIV/CAC certificates at the time of system installation. All provided data will be saved/updated/mapped automatically in the following files:

server.xml (<Ephesoft Transact Installation Directory>\JavaAppServer\conf)
web.xml (<Ephesoft Transact Installation Directory>\JavaAppServer\conf)
dcma-user.connectivity.properties (<Ephesoft Installation Directory>\Application\WEB-INF\classes\META-INF\dcma-user-connectivity)
dcma-batch.properties (<Ephesoft Transact Installation Directory>\Application\WEB-INF\classes\META-INF\dcma-batch)
config.properties (included in Ephesoft Transact installation package)

The imported certificates will be stored in the Certs folder of Ephesoft Transact installation directory.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\11.png$

In addition to that, the Ephesoft Transact installer provides an option to select a PKI-config.properties file for auto-filling required fields for PIV/CAC configuration. You can provide PIV/CAC details in the properties file and then simply specify the file location during Transact installation. All required details will be picked up by the system from the properties file automatically.

PKI Authentication Configuration in the Ephesoft Transact installer:

Normal installation
Installation using PKI-config.properties file
Silent installation

To configure PKI Authentication during Ephesoft Transact installation on Linux:

1. Start the installation process by executing the installer. When offered to install the system using silent installer, select n.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\1.png$

2. Follow the installation process till you reach Authentication Configuration.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\2-1.png$

3. Enter 2 to select PKI Authentication Mode.

Note:

When Form Authentication is selected, the users will be required to provide a username and password to log on to the application. This Authentication Mode is used by default.
PKI Authentication (Public Key Infrastructure) option is provided if you want to use your PIV card and related certificates.

4. At this step, you can either import the PKI-config.properties file with PIV/CAC configurations or enter all required PIV/CAC authentication details in the console.

Let’s go ahead and select the second option by clicking n.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\4-11.png$

5. Provide the path and password for your server certificate (certificate that will be used to recognize your server).

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\5.png$

6. Provide the path and password for CA certificate (certificate that will be used to recognize the Certifying Authority). Then, confirm that provided information is correct by entering n. If you want to update the details, press y and change the information as needed.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\6.png$

Note: If any error occurred, for example, if a pem file cannot be generated (when an incorrect password has been provided) or certificates have already been imported, you will see the exact error message. You can then re-enter the details or can continue with the installation. If you choose to continue, you will be prompted to import the certificate manually before starting the server.

Sample error message If provided password is incorrect

Sample error message If alias already exists/certificate already imported

7. Fill the Connector Settings for PKI section.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\7.png$

Configurable property	Description
Port	Number of the PKI Connector port
SSL protocol	Protocol that will be used to secure connection between the client and the server
SSL Enabled Protocol	The supported versions of selected protocol
Chipper text	The algorithm of encryption that will be used between the client and the server

To continue, select n. If you want to update the details, press y and change the information as needed.

8. Fill the Realm Settings for PKI section.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\8.png$

Connection configuration

Configurable property

Description

User Connection Type

The type of connection you want to use for the application.

for LDAP
for MS Active Directory

Configurable properties common for both LDAP & MS Active Directory

Configurable property	Description
Connection URL	A valid URL to connect to LDAP /Active Directory server. The connection URL should be in the following format: ldap://<server_address>:<port_number>.
Connection Name	A valid username to connect and access LDAP /Active Directory server (the username of the user responsible for interacting with the server).
Connection Password	A valid password to connect and access LDAP/ Active Directory server (the password of the user responsible for interacting with the server).
User Base	The relative path under which all the users’ information will be located. This attribute defines where to look for a user.
User Search	A search string for searching users.
User Subtree	This attribute defines the search scope. Set to true to search the entire subtree rooted at the User base entry. Set to false to request a single-level search including only the top level.
Role Base	The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user.
Role Name	Role name defines which attribute is used for a role.
Role Search	A search string for searching roles.
Role Subtree	This attribute defines the search scope. Set to true to search the entire subtree rooted at the Role base entry. Set to false to request a single-level search including only the top level.

Properties specific to MS-Active Directory configuration

Configurable property

Description

MS AD Group Search Filter

This attribute helps to filter search results and can have the following operators: |(OR), &(AND) and !(NOT). For example, ((!(cn=a*))(|(cn=ephesoft*)(&(cn=b*)))

This parameter is optional and can be left empty.

To continue, select n. If you want to update the details, press y and change the information as needed.

Now, the import of PIV/CAC certificates is complete and the following message is displayed:

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\9.png$

9. Proceed with the installation process.

To configure PKI Authentication for Ephesoft Transact installation using the PKI-config.properties file:

1. Open the PKI-config.properties file located in the Response-Files folder which is shipped along with Ephesoft Transact 4.5.0.0 installer for Linux.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\3.png$

2. Configure the details required for PIV/CAC certificates import during installation.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\3-3.png$

PKI Authentication Configuration

Configurable property	Description
input_pki_server_cert_path	Location of the Server certificate
input_pki_ca_cert_path	Location of the Certifying Authority certificate
input_pki_connector_port_number	Number of the PKI connector port
input_pki_connector_ssl_protocol	Protocol that will be used to secure connection between the client and the server
input_pki_connector_ssl_enabled_protocol	The supported versions of selected protocol
input_pki_connector_chipper_text	The algorithm of encryption that will be used between the client and the server

Connection configuration

Configurable property

Description

input_connectivity_user_connection

The type of connection you want to use for the application.

for LDAP
for MS Active Directory

Configurable properties common for both LDAP & MS Active Directory

Configurable property	Description
input_realm_connection_url	A valid URL to connect to LDAP /Active Directory server. The connection URL should be in the following format: ldap://<server_address>:<port_number>.
input_realm_connection_name	A valid username to connect and access LDAP /Active Directory server (the username of the user responsible for interacting with the server).
input_realm_user_base	The relative path under which all the users’ information will be located. This attribute defines where to look for a user.
input_realm_user_search	A search string for searching users.
input_realm_user_sub_tree	This attribute defines the search scope. Set to true to search the entire subtree rooted at the User base entry. Set to false to request a single-level search including only the top level.
input_realm_role_base	The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user.
input_realm_role_name	Role name defines which attribute is used for a role.
input_realm_role_search	A search string for searching roles.
input_realm_role_sub_tree	This attribute defines the search scope. Set to true to search the entire subtree rooted at the Role base entry. Set to false to request a single-level search including only the top level.

Properties specific to MS-Active Directory configuration

Configurable property

Description

input_msactivedirectory_group_search_filter

This attribute helps to filter search results and can have the following operators: |(OR), &(AND) and !(NOT). For example, ((!(cn=a*))(|(cn=ephesoft*)(&(cn=b*)))

This parameter is optional and can be left empty.

3. Run the Ephesoft Transact installer.

4. In the Authentication Configuration section, enter 2 to select PKI Authentication mode.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\2-1.png$

5. Enter y in response to the question “Do you want to import PKI configuration from properties file?” and provide the location of your configurations file.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\4-33.png$

The system will pick up the details and populate them on the screen automatically.

Note: The passwords for the certificates and realm connection are not provided in the PKI-config.properties file. You will have to enter and confirm them at the time of installation.

To configure PKI Authentication for the silent installation of Ephesoft Transact on Linux:

1. Open the config.properties file shipped along with the installer.

2. Configure the below-mentioned parameters.

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\1.png$

$C:\Users\Ephesoft\AppData\Local\Microsoft\Windows\INetCache\Content.Word\3.png$

Authentication Mode Configuration

Configurable property

Description

input_authentication_mode

The type of authentication mode you want to use.

for Form Authentication
for PKI Authentication

PKI Authentication Configuration

Configurable property	Description
input_pki_server_cert_path	Location of the Server certificate
input_pki_server_cert_password	Password for the Server certificate
input_pki_ca_cert_path	Location of the Certifying Authority certificate
input_pki_ca_cert_password	Password for the Certifying Authority certificate
input_pki_alias_name	A unique string to identify the keystore entry
input_pki_connector_port_number	Number of the PKI connector port
input_pki_connector_ssl_protocol	Protocol that will be used to secure connection between the client and the server
input_pki_connector_ssl_enabled_protocol	The supported versions of selected protocol
input_pki_connector_chipper_text	The algorithm of encryption that will be used between the client and the server

Connection configuration

Configurable property

Description

input_connectivity_user_connection

The type of connection you want to use for the application.

for LDAP
for MS Active Directory

Configurable properties common for both LDAP & MS Active Directory

Configurable property	Description
input_realm_connection_url	A valid URL to connect to LDAP /Active Directory server. The connection URL should be in the following format: ldap://<server_address>:<port_number>.
input_realm_connection_name	A valid username to connect and access LDAP /Active Directory server (the username of the user responsible for interacting with the server).
input_realm_user_base	The relative path under which all the users’ information will be located. This attribute defines where to look for a user.
input_realm_user_search	A search string for searching users.
input_realm_user_sub_tree	This attribute defines the search scope. Set to true to search the entire subtree rooted at the User base entry. Set to false to request a single-level search including only the top level.
input_realm_role_base	The relative path under which all the roles information will be located. This attribute defines where to look for a role corresponding to a user.
input_realm_role_name	Role name defines which attribute is used for a role.
input_realm_role_search	A search string for searching roles.
input_realm_role_sub_tree	This attribute defines the search scope. Set to true to search the entire subtree rooted at the Role base entry. Set to false to request a single-level search including only the top level.

Properties specific to MS-Active Directory configuration

Configurable property

Description

input_msactivedirectory_group_search_filter

This attribute helps to filter search results and can have the following operators: |(OR), &(AND) and !(NOT). For example, ((!(cn=a*))(|(cn=ephesoft*)(&(cn=b*)))

This parameter is optional and can be left empty.

3. Save the changes.