Certificate

• How to enable Certificates do login?

How to enable Certificates do login?

You can use certificates to login, using the certificate as a password (need to type the username) or without the username, just using the certificate.

Note: EF Portal can use the CN as the username, so you can use the file ef.user.mapping to map the certificates and users.

Here are the steps:

1. Edit the file /opt/nisp/enginframe/conf/enginframe/server.conf and set:
   EF_DEFAULT_AUTHORITY=certificate
2. If you want to get the username from the certificate CN, set:
   authorization.certificate.userCertificate=true
If true, it will not ask the username; If false, it will ask the user.
3. Export the JAVA_HOME and EF_ROOT directories (please replace the paths with the right ones):
   export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
export EF_ROOT=/opt/nisp/enginframe/
export EF_CONF_ROOT=/opt/nisp/enginframe/conf/
4. Use the command below to create the user certificate:
   echo "passwordtest" | bash /opt/nisp/enginframe/2024.0-r1786/enginframe/tools/tomcatssl-certificates.sh - generate --tomcatuser efnobody --client-auth --client-password clientpassword --ef-alias enginframe --client-aliases myClient
5. Edit the file ${EF_CONF_ROOT}/tomcat/conf/server.xml and comment the active Connector line, to be replaced for this new one:

<Connector
    clientAuth="true"
    port="8443"
    minSpareThreads="5"
    protocol="HTTP/1.1"
    enableLookups="true"
    disableUploadTimeout="true"
    URIEncoding="utf-8"
    acceptCount="100"
    maxThreads="200"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    keystoreFile="conf/certs/enginframe.tomcat.keystore"
    keystoreType="JKS"
    keystorePass="passwordtest"
    keyAlias="enginframe"
    truststoreFile="conf/certs/enginframe.tomcat.truststore"
    truststoreType="JKS"
    truststorePass="passwordtest"
    sslProtocol="TLS"
    server="Apache" />

Finally you can restart EF Portal service and download the user client p12 file and import to your browser. It will be used to login into EF portal:
/opt/nisp/enginframe/conf/tomcat/conf/certs/myClient.client.cert.p12

Explaining the above command:

• passwordtest: EF Portal Tomcat certificate password
• clientpassword: User certificate password
• myClient: The client aliase. If you want more than one, then use: –client-aliases ‘myClient1 myClient2’

Note: The certificates will be generated under ${EF_CONF_ROOT}/tomcat/conf/certs directory.