net id portal technical desciption - secmaker
Post on 02-May-2022
11 Views
Preview:
TRANSCRIPT
Confidentiality: Public
Net iD Portal Technical Description v5.1
Net iD Portal - Technical Description v5.1
Copyright 2017 © SecMaker AB
Confidentiality: Public
Document no: SMP-NiP16-04
Date: 2017-03-13
Document no: SMP-NiCP16-03
2 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB Confidentiality: Public
Content
1 Introduction....................................................................................................................................... 4 1.1 About this document .............................................................................................................................................. 4 1.2 Who should read this document ............................................................................................................................. 4 1.3 Feedback and support ........................................................................................................................................... 4 1.4 Contact information ................................................................................................................................................ 4 1.5 Additional technical documents .............................................................................................................................. 4
2 What is Net iD Portal? ....................................................................................................................... 5 2.1 NiP-API .................................................................................................................................................................. 5 2.2 NiP-GUI .................................................................................................................................................................. 6 2.3 Release life cycle ................................................................................................................................................... 6
3 Standards and algorithms .................................................................................................................. 7 3.1 Date and time ......................................................................................................................................................... 7 3.2 Public key algorithm ............................................................................................................................................... 7 3.3 Digital signature ..................................................................................................................................................... 7 3.4 Encryption algorithm .............................................................................................................................................. 7 3.5 Hash algorithm ....................................................................................................................................................... 7
4 Service requirements ........................................................................................................................ 8 4.1 About ...................................................................................................................................................................... 8 4.2 Web service ........................................................................................................................................................... 8 4.3 Database service ................................................................................................................................................... 8 4.4 Certificate service................................................................................................................................................... 9
5 Additional services ........................................................................................................................... 10 5.1 About .................................................................................................................................................................... 10 5.2 Directory service: Microsoft Active Directory (MSAD DS) .................................................................................... 10 5.3 Directory service: Microsoft Active Directory Lightweight Directory Services (MSAD LDS) ................................. 10 5.4 National Citizen Register service: Swedish Tax Agency Navet (Navet) ............................................................... 10
6 Architecture of Net iD Portal ............................................................................................................. 11 6.1 About .................................................................................................................................................................... 11 6.2 NiE (Net iD Enterprise) ......................................................................................................................................... 11 6.3 NiP-GUI (Net iD Portal Graphical User Interface) ................................................................................................ 11 6.4 NiP-API (Net iD Portal Application Programming Interface) ................................................................................. 11 6.5 NiP-GS (Net iD Portal Generic Service) ............................................................................................................... 12 6.6 NiP-TS (Net iD Portal Timer Service) ................................................................................................................... 12 6.7 Database .............................................................................................................................................................. 13 6.8 Database collations .............................................................................................................................................. 13 6.9 Database constraints ........................................................................................................................................... 13 6.10 Database tables ................................................................................................................................................... 13 6.11 Database documentation ..................................................................................................................................... 17 6.12 Files: NiP-GUI ...................................................................................................................................................... 17 6.13 Files: NiP-API ....................................................................................................................................................... 17 6.14 Files: NiP-GS ....................................................................................................................................................... 18 6.15 Files: NiP-TS ........................................................................................................................................................ 18
7 Ports and protocols .......................................................................................................................... 19 7.1 About .................................................................................................................................................................... 19 7.2 Web service: Microsoft Internet Information Services .......................................................................................... 19 7.3 Database service: MS SQL Server ...................................................................................................................... 19 7.4 Certificate service: Microsoft Certificate Authority ................................................................................................ 19 7.5 Certificate service: EJBCA ................................................................................................................................... 19
8 Installation and configuration ............................................................................................................ 20 8.1 About .................................................................................................................................................................... 20
Document no: SMP-NiCP16-03
3 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB Confidentiality: Public
8.2 Install and configure the web service ................................................................................................................... 20 8.2.1 Server role ........................................................................................................................................................... 20
8.2.2 NiP-API ................................................................................................................................................................ 20
8.2.3 NiP-GUI ................................................................................................................................................................ 20
8.3 Install and configure the database service ........................................................................................................... 21 8.3.1 Microsoft SQL Server ........................................................................................................................................... 21
8.3.2 Oracle MySQL ..................................................................................................................................................... 21
8.4 Install and configure the certificate service .......................................................................................................... 21 8.4.1 Microsoft Certificate Authority (MSCA) ................................................................................................................. 21
8.4.2 MSCA policy modifications ................................................................................................................................... 22
8.4.3 Setup MSCA as a Stand Alone CA and enrollment mode as Stamp: .................................................................. 23
8.4.4 Setup MSCA as a Stand Alone CA and enrollment mode as Modifier: ................................................................ 23
8.4.5 Setup MSCA as an Enterprise CA and enrollment mode as Modifier: ................................................................. 24
8.4.6 Setup MSCA as an Enterprise CA and enrollment mode as EnrollmentAgent: .................................................... 24
8.4.7 Enterprise Java Beans Certificate Authority (EJBCA): ......................................................................................... 24
9 Uninstall the application ................................................................................................................... 25 9.1 About .................................................................................................................................................................... 25 9.2 Settings and dependencies .................................................................................................................................. 25 9.3 Upgrading ............................................................................................................................................................ 25 9.4 Complete uninstallation ........................................................................................................................................ 25
10 Troubleshooting ............................................................................................................................... 27 10.1 About .................................................................................................................................................................... 27 10.2 Trace: Net iD Enterprise ....................................................................................................................................... 27 10.3 Trace: Net iD Portal with log4net extension ......................................................................................................... 27 10.4 Trace: Net iD Portal with Generic Service (Trace Server) .................................................................................... 27 10.5 Trace: Microsoft Internet Information Services Diagnostics ................................................................................. 27 10.6 Error codes and messages .................................................................................................................................. 27 10.6.1 Login and session ................................................................................................................................................ 27
10.6.2 NiP-GUI (client side) ............................................................................................................................................ 28
10.6.3 NiP-API (server side) ........................................................................................................................................... 28
11 Status information ............................................................................................................................ 31 11.1 About .................................................................................................................................................................... 31 11.2 Token status ........................................................................................................................................................ 31 11.3 Task status ........................................................................................................................................................... 31 11.4 GemaltoProductionStatus, Kunddatafil ................................................................................................................ 32 11.5 NiP translations GemaltoProductionStatus .......................................................................................................... 33
12 Changes from earlier versions .......................................................................................................... 34 12.1 Changes between v5.0 and v5.1 .......................................................................................................................... 34 12.2 NiP v5.0 ............................................................................................................................................................... 34
13 NiP documentation ........................................................................................................................... 35
Document no: SMP-NiCP16-03
4 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB Confidentiality: Public
1 Introduction
1.1 About this document
This document provides detailed technical information for the application Net iD Portal version 5.1.
1.2 Who should read this document
The document is written primarily for technicians responsible for, or involved in, installation and configuration of Net iD
Portal, henceforth called NiP in this document.
1.3 Feedback and support
Please forward your comments and problem reports to the following e-mail addresses:
Any problems with the documentation should be reported by sending an e-mail to:
netid@secmaker.com
Any other feedback may be reported by sending an e-mail to:
feedback@secmaker.com
If you are a SecMaker customer with a Net iD Support Agreement, you may also can register tickets in our support
system. Please visit https://support.secmaker.com for more information.
1.4 Contact information
SecMaker AB
Phone: +46 (0) 8 – 6012300
E-mail: info@secmaker.com
Web: www.secmaker.com
1.5 Additional technical documents
In case there are some additional services or processes that are described in other documentation, you will find this
icon in the document.
You can order technical documents through SecMaker’s website.
Visit www.secmaker.com > Partners > Developers > Technical manual.
5 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
2 What is Net iD Portal?
Net iD Portal (NiP) is a life-cycle management application from SecMaker that simplifies the management of smart cards,
devices, certificates, and users for an organization.
Net iD Portal (NiP) is an application from SecMaker that simplifies the lifecycle management of tokens containing
certificates and keys (i.e. smart cards, USB tokens, devices, …). NiP gives an overview of and makes it possible to
manage tokens for different end entities, for example users and servers, like issuance and revocation of tokens. NiP
handles the complete chain between users, tokens, keys, and certificates.
NiP interconnects the certificate service and database service in the organizational infrastructure.
Administrators, officers and end Users have web GUIs where they can get access to the NiP features that they have
been given permission to use. As an example an officer can access the NiP Officer GUI and manage end user smart
cards and certificates e.g. for logon authentication to the organizations network and applications and/or
signing/encrypting documents.
The architecture of NiP consists of a NiP-API and normally a NiP-GUI. The NiP-GUI interacts with the NiP-API and
becomes a web portal that can be used with a web browser.
Below is a reference design for installing NiP in your environment. NiP can be installed in different server architectures
depending on the demands for high availability.
In this document, the requirements and configurations of the server environment are explained.
Please read the “Required services” chapter below and check that NiP supports the current environment of the
organization.
2.1 NiP-API
NiP-API (also called back-end) is a web service API that provides the requestor with information through Hypertext
Transfer Protocol. The web service supports the following architectures:
- SOAP 1.1/1.2
- REST
See the chapter “Architecture of Net iD Portal” for more information about the interface.
6 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
2.2 NiP-GUI
NiP-GUI (also called front-end) is a Graphical User Interface containing the graphic layout, handler for the NiP-API and
architecture for the client. NiP-GUI can be stored on a local client computer or a web server.
See the chapter “Architecture of Net iD Portal” for more information.
2.3 Release life cycle
As in most software lifecycles, there is a release lifecycle that refers to the different phases of the development process
and maturity of the software versions. The phases of the release lifecycle of NiP that may or will be made available to
customers are:
- BETA
The phase is known as beta-release and will only be available externally for temporary tests of new or
customized features ordered by a customer.
NOTE: It will not be possible to upgrade beta-releases to other releases.
Beta-releases shall not be used in production and is not supported as a part of SecMaker support service.
- RC (Release Candidate)
The phase is known as release-candidate and refers to a version of NiP with potential to be a final release.
A RC release may be made available for customers that needs to test new functionality of NiP before the FRC
or GA releases. The RC release can be upgraded to the FRC and GA releases.
NOTE: RC releases shall not be used in production and is not supported as a part of SecMaker support service.
- FRC (Final Release Candidate)
The phase FRC is used to test the new version at customers’ production sites to find possible “real life” issues
that have not been found during the release testing at SecMaker. The release has gone through complete
release testing at SecMaker and is considered as good as a GA release.
The FRC is normally released four weeks before the GA release.
NOTE: FRC releases may be used in production and is supported as a part of SecMaker support service.
The FRC must however be updated to the GA release when available.
- GA (General Availability)
The phase is also known as the term “release to manufacturing” and is the public final release version.
7 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
3 Standards and algorithms
3.1 Date and time
Date and time are always formatted as ISO 8601 by NiP-API.
The syntax for date is:
- {YYYY}-{MM}-{DD} (e.g. 2016-01-22)
The syntax for time is:
- {HH}:{MM}:{SS} (e.g. 08:45:50)
The syntax for date time is:
- {YYYY}-{MM}-{DD} {HH}:{MM}:{SS} (e.g. 2016-01-22 08:45:50)
3.2 Public key algorithm
Public key algorithms supported by NiP-API are:
- DSA
- RSA
- ECC*
* ECC has been implemented but is not fully supported.
3.3 Digital signature
Digital signature standards supported by NiP-API are:
- PKCS#7
- XMLDSIG
- RSARAW
3.4 Encryption algorithm
Encryption algorithms supported by NiP-API are:
- 3DES (192)
- AES (128, 192, 256)
3.5 Hash algorithm
Hash algorithms (also known as digest) supported by NiP-API are:
- SHA1
- SHA256
- SHA384
- SHA512
- SHA1-HMAC
- SHA256-HMAC
- SHA384-HMAC
- SHA512-HMAC
8 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
4 Service requirements
4.1 About
In this chapter you will find all the requirements that will be needed to correctly install and run NiP-API. The services that
will be needed for the NiP-API are:
- Web service
- Database service
- Certificate service
4.2 Web service
NiP-API must be installed on a web server included in the environment hierarchy.
The following service has to be installed on the web server:
- Microsoft Internet Information Services.
The following platforms can be used as a web server (Microsoft Internet Information Services is included in all platforms):
- Microsoft Windows Server 2008 R2, Standard
- Microsoft Windows Server 2008 R2, Enterprise
- Microsoft Windows Server 2012, Standard
- Microsoft Windows Server 2012 R2, Standard
- Microsoft Windows Server 2016, Standard *
- Microsoft Windows Server 2016, Datacenter *
* Support for Windows Server 2016 will be available in NiP v5.2.
NiP-API requires that one of the following .NET framework is installed on the web server (.NET Framework can be
downloaded from the Microsoft.com web page):
- Microsoft .NET Framework 4.5
- Microsoft .NET Framework 4.5.1
Note that .NET Framework 4.5 already is available in Windows Server 2012 (4.5.1 for Windows Server 2012
R2) and does not need to be downloaded separetely.
4.3 Database service
NiP-API requires two databases to store, access and log all information and settings in the application.
NiP-API supports the following database services with latest service packs:
- Microsoft SQL Server 2008 R2, Express
- Microsoft SQL Server 2008 R2, Standard
- Microsoft SQL Server 2008 R2, Enterprise
- Microsoft SQL Server 2012, Express
- Microsoft SQL Server 2012, Standard
- Microsoft SQL Server 2012, Enterprise
- Microsoft SQL Server 2014, Express
- Microsoft SQL Server 2014, Standard
- Microsoft SQL Server 2014, Enterprise
- Microsoft SQL Server 2016, Express
- Microsoft SQL Server 2016, Standard
- Microsoft SQL Server 2016, Enterprise
- MySQL Server 5.6
9 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
Microsoft SQL Server can be installed on any Windows Server platform. Oracle MySQL server can be installed on any
Windows Server platform or Linux SUSE.
4.4 Certificate service
NiP-API support the following certificate services (known as CA (Certificate Authority)):
- Microsoft Certificate Authority (MSCA)
- PrimeKey Enterprise Java Beans Certificate Authority (EJBCA)
- NiP Internal CA (NiP-CA) *
* NiP-CA is an internal CA for test and development purpose only and is not supported.
The CA’s can be installed on the following platforms:
- Microsoft Windows Server 2008 R2, Standard (MSCA)
- Microsoft Windows Server 2008 R2, Enterprise (MSCA)
- Microsoft Windows Server 2012, Standard (MSCA)
- Microsoft Windows Server 2012 R2, Standard (MSCA)
- Microsoft Windows Server 2016, Standard (MSCA) *
- Microsoft Windows Server 2016, Datacenter (MSCA) *
- Linux SUSE (EJBCA)
- Linux Ubuntu 16 (EJBCA)
* Support for Windows Server 2016 will be available in NiP v5.2.
10 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
5 Additional services
5.1 About
In this chapter you will find all the additional services that are supported by the NiP-API:
- Directory service: Microsoft Active Directory Domain Services (MSAD DS)
- Directory service: Microsoft Active Directory Lightweight Directory Services (MSAD LDS)
- National Citizen Register service: Swedish Tax Agency Navet (Navet)
5.2 Directory service: Microsoft Active Directory (MSAD DS)
MSAD DS can be used when getting users from current environment. NiP-API will use the Lightweight Directory Access
Protocol (LDAP) for access of the user object. It’s possible to store a user from current environment into NiP system
database.
5.3 Directory service: Microsoft Active Directory Lightweight Directory Services (MSAD LDS)
MSAD LDS can be used when getting users from current environment. NiP-API will use the Lightweight Directory Access
Protocol (LDAP) for access of the user object. It’s possible to store a user from current environment into the NiP system
database.
5.4 National Citizen Register service: Swedish Tax Agency Navet (Navet)
The Swedish Citizen Register Navet can be used when creating users based on Swedish “personnummer” (citizen id
number). The Navet service is provided by the Swedish Tax Agency (Skatteverket) and a subscription is needed to use
the service. It’s possible to store a user from Navet into the NiP system database.
11 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
6 Architecture of Net iD Portal
6.1 About
The architecture of NiP consists of several services. The required services are:
- NiE (Net iD Enterprise)
- NiP-GUI (Net iD Portal Graphical User Interface)
- NiP-API (Net iD Portal Application Programming Interface)
- NiP-GS (Net iD Portal Generic Service)
- NiP-TS (Net iD Portal Timer Service)
- Database
- Files
6.2 NiE (Net iD Enterprise)
NiE is a PKI client, provided by SecMaker, that needs to be installed on the local client. NiE handles all the architecture
of local tokens, smart card readers and local libraries.
See the document “Net iD Enterprise Technical Description” for more information.
6.3 NiP-GUI (Net iD Portal Graphical User Interface)
NiP-GUI contains all the structures that can be used by the default web browser. NiP-GUI contains the graphical design
pack, front-end architecture and structure that are interacting with NiE. NiP-GUI can be used on a web server of in the
environment or the local workstation. NiP-GUI requires NiE to be installed locally on the client.
6.4 NiP-API (Net iD Portal Application Programming Interface)
NiP-API is a web service that contains all the structure and interfaces connecting to the services on server side.
NiP-API contains two main web services:
- Application
The purpose of the application service is to provide the NiP-GUI with a server application interface.
- External
The purpose of the external service is to provide third party vendors with a server application interface against
NiP.
The interfaces of the application and external services are:
- ServiceSoap.svc
Simple Object Access Protocol (SOAP) specification of the interface formatted as Extensible Markup Language
(XML). ServiceSoap.svc uses BasicHttpBinding and all object types are formatted in PascalCase.
- ServiceRestJson.svc
Representational State Transfer (REST) specification of the interface formatted as JavaScript Object Notation
(JSON). ServiceRestJson.svc uses WebHttpBinding and all object types are formatted in PascalCase.
- ServiceRestXml.svc
Representational State Transfer (REST) specification of the interface formatted as Extensible Markup Language
(XML). ServiceRestXml.svc usrs WebHttpBinding and all object types are formatted in PascalCase.
12 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
See the document “Net iD Portal API Description” for more information about all operations within the interface.
6.5 NiP-GS (Net iD Portal Generic Service)
NiP-GS is a Windows Service application running beside the web service on the local server. The purpose of NiP-GS is
to relieve big and continuous data structures from the services. NiP-GS runs as the basic/mex HTTP protocol with port
61236 as default. NiP-GS has two modules that runs automatically at startup:
- TraceServer
The module receives trace calls asynchronously from the trace structure of the services and saves the traces to
local file.
- Log
The module receives log entry calls asynchronously from the services and store the entries into the database.
6.6 NiP-TS (Net iD Portal Timer Service)
NiP-TS is a Windows Service application running beside the web service on the local server. The purpose of NiP-TS is to
running as a background process against NiP. The settings can be modified through the “Administration” section of the
portal.
NiP-TS runs as the basic/mex HTTP protocol with port 61234 as default. NiP-TS has several modules that can be started
in different time intervals. The modules are:
- Monitor
The module monitors the system through different kind of tasks. The module runs each 10 minute as default
and checks for scheduled works in the NiP system. The tasks are:
- Automatically logout of inactive users.
- Notification of certificates that are going to expire.
- Release of inactive tasks.
- Deletion of expired tasks.
- Status updates for certificates.
- Status updates for tokens.
- Uploader
The module monitors local server directory path for uploading files to NiP in different kind of tasks. The tasks
are:
- Processing of updated text resources.
- Processing batch of users that should be created.
- Processing batch of personalized token orders for users.
- Gemalto *.*
The modules are specified for order, status and revocation of tokens against token manufacturer Gemalto.
Example of Settings:
The default module is “MonitorModule”. There are non-default modules in the Timer Service and these are custom
actions.
<Modules>
<Module Name="MonitorModule">
<ModuleAssemblyFile>
SecMaker.NiP.TS.Module.Monitor.dll
</ModuleAssemblyFile>
<ModuleClassName>
SecMaker.NiP.TS.Module.MonitorModule
</ModuleClassName>
13 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
<TimerSeconds>600</TimerSeconds>
</Module>
</Modules>
The <TimerSeconds> tag will specify the time in seconds for how often the module runs (i.e. 600 = each 10 minute).
6.7 Database
NiP-API stores all data in two databases. The purpose of the two databases are:
- System
Contains all the data of the application configuration, users, tokens and certificates.
- Log
Separated database that contains all the log information (also known as audit logs).
6.8 Database collations
NiP-API uses the following default database collations:
- Microsoft SQL Server: SQL_Latin1_General_CP1_CI_AS
- Oracle MySQL: UTF8_GENERAL_CI with default character set as UFT-8.
6.9 Database constraints
NiP-API uses the following constraint name syntax for the database tables:
- PrimaryKeys: PK_%TABLENAME%_ID
- ForeignKeys: FK_%TABLENAME%_%PRIMARYKEYREFERENCE%
- DefaultConstraintName: DF_%TABLENAME%_%COLUMNNAME%
Note that Microsoft SQL Server has a maximum value of 128 characters and Oracle has a maximum value of 64
characters of the constraint name schema.
6.10 Database tables
The system database contains several tables for different type of storage. The table names are stored as abbreviation
names and describes their own purpose. The following schema describes the names and purposes of the tables as the
following syntax:
Abbreviated table name
Unabbreviated table name
Purpose
The tables of the system database are:
- act_usrs
Active Users
Contains information and handle types about current logged on users.
- adm_cfgs
Administration Configurations
Contains static task configuration of the administration types.
- cache_objs
Cache Objects
Contains different type of cache objects.
14 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- cm_soc_sec_nrs
Customized Social Security Numbers
Contains customized social security numbers to specific feature (see the User Guide for more information).
- creds
Credentials
Contains credential information for third party services.
- crt_auths
Certificate Authorities
Contains information about the certificate authority services.
- crt_tmls
Certificate Templates
Contains information about the certificate templates.
- crts
Certificates
Contains information and binary data of the stored certificates.
- dir_svcs
Directory Services
Contains information about the directory services.
- gen_sets
Generic Settings
Contains generic settings and configuration of the NiP-API instance.
- hist_tkns
Historical Tokens
Contains a list of a user’s historical tokens.
- key_objs
Key Objects
Contains binary key objects for different types of relations.
- lic_svc_nie (under development)
Undefined
Undefined
- lic_svc_nie_mstr (under development)
Undefined
Undefined
- lic_svc_nip (under development)
Undefined
Undefined
- natl_regs
National Registrations
Contains information about the national citizen register services.
15 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- org_ofc_addrs
Organization Office Addresses
Contains information about the addresses for an office of an organization.
- org_ofcs
Organization Offices
Contains information about the offices of an organization.
- orgs
Organizations
Contains information about the organizations.
- otps
One Time Passwords
Contains temporary one-time password object types.
- privileges
Privileges
Contains a list of static and customized privileges.
- role_privilege_relns
Role Privilege Relations
Contains relation keys between roles and privilege tables.
- role_usr_grps_relns
Role User Group Relations
Contains relation keys between roles and user groups tables.
- roles
Roles
Contain a list of roles.
- rprts
Reports
Contains information templates of reports.
- sa_key_objs (under development)
Undefined
Undefined
- sa_key_usr_relns (under development)
Undefined
Undefined
- sa_key_usrs (under development)
Undefined
Undefined
- sms_tmls
SMS Templates
Contains information about the SMS templates.
16 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- smtp_tmls
SMTP Templates
Contains information about the SMTP templates.
- srvs
Servers
Contains server objects.
- task_type_privilege_relns
Task Type Privilege Relations
Contains relation keys between task type and privilege tables.
- task_types
Task Types
Contains a list of static and customized task types.
- tasks
Tasks
Contains task objects.
- tkn_crt_tml_relns
Token Template Certificate Template Relations
Contains relation keys between token template and certificate template tables.
- tkn_mfrs
Token Manufacturers
Contains information about external token manufactures.
- tkn_prfls
Token Profiles
Contains information about token profile configurations.
- tkn_rgtr
Token Register
Contains customized token register.
- tkn_tmls
Token Templates
Contains information about token templates.
- tkn_usr_relns
Token User Relations
Contains relation keys between token and user tables.
- tkns
Tokens
Contains token objects.
- usr_grp_relns
User Group Relations
Contains relation keys between user and group tables.
17 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- usr_grps
User Groups
Contains user group objects.
- usr_imgs
User Images
Contains user image binaries.
- usrs
Users
Contains user objects.
- version
Version
Contains current database context version.
The tables of the log database are:
- log_ents
Log Entries
Contains information, binary data and signatures of the log entries.
6.11 Database documentation
See the documents “Net iD Portal - Database Documentation” and “Net iD Portal - Database_log Documentation” for
complete information about the databases.
6.12 Files: NiP-GUI
The file structure of NiP-GUI:
- %path%\%version%\asset\css
Contains the cascading style sheets (css) of the GUI.
- %path%\%version%\asset\fonts
Contains the fonts of the GUI.
- %path%\%version%\asset\image
Contains the images of the GUI.
- %path%\%version%\language
Contains the local language files in json format.
- %path%\%version%\app.js
GUI and front-end application structure.
- %path%\%version%\config.js
Configuration of the GUI.
- %path%\index.html
Default start page.
6.13 Files: NiP-API
The file structure of NiP-API:
18 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- %path%\bin\*.*
Contains all the assemblies and libraries.
- %path%\texts\*.*
Contains local trace files generated by NiP-API.
- %path%\Global.asax
Specifies the handler for the instance of NiP-API.
- %path%\ServiceRestJson.svc
NiP-API REST interface formatted as Json.
- %path%\ServiceRestXml.svc
NiP-API REST interface formatted as Xml.
- %path%\ServiceSoap.svc
NiP-API SOAP interface.
- %path%\Trace.svclog
Instance diagnostic trace.
- %path%\Web.Config
Instance configuration of the NiP-API and web service.
6.14 Files: NiP-GS
The file structure of NiP-GS:
- %path%\*.dll
All the assemblies and libraries (same files as for NiP-API and NiP-TS).
- %path%\texts\*.*
Contains local trace files generated by NiP-GS.
%path%\SecMaker.NiP.GS.exe
The executable file that is installed in the Windows Service Manager.
- %path%\SecMaker.NiP.GS.exe.config
Instance configuration of the NiP-GS.
6.15 Files: NiP-TS
The file structure of NiP-TS:
- %path%\*.dll
All the assemblies and libraries (same files as for NiP-API and NiP-GS).
- %path%\texts\*.*
Contains local trace files generated by NiP-TS.
%path%\SecMaker.NiP.TS.exe
The executable file that is installed in the Windows Service Manager.
- %path%\SecMaker.NiP.TS.exe.config
Instance configuration of the NiP-TS.
19 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
7 Ports and protocols
7.1 About
This chapter will explain which ports and protocols that will be used by default in NiP.
7.2 Web service: Microsoft Internet Information Services
Application protocol: HTTPS
Protocol: TCP
Port: 443
7.3 Database service: MS SQL Server
System service name: MSSQLSERVER
Application protocol: SQL over TCP
Protocol: TCP
Port: 1433 (MS SQL Server default port)
7.4 Certificate service: Microsoft Certificate Authority
System service name: CertSvc
Application protocol: RPC
Protocol: TCP
Port: 135 (or randomly allocated high TCP ports)
7.5 Certificate service: EJBCA
Application protocol: HTTPS
Protocol: TCP
Port: 8443
20 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
8 Installation and configuration
8.1 About
This section will explain how to install and configure the services that are required by NiP.
Install and configure the services in the following sequence:
- Install and configure the web service.
- Install and configure the database service.
- Install and configure the certificate service.
8.2 Install and configure the web service
8.2.1 Server role
- Start the “Server Manager” in Windows Sever operating system.
- Start the “Add Roles and Features” wizard.
- Add the “Web Server (IIS)” role.
- Add the “Application Server” role including the sub roles: “.NET Framework 4.5”, “COM+ Network Access” and
“Web Server (IIS) Support”.
- Close the “Server Manager” and restart the server.
8.2.2 NiP-API
- Extract the NiP-API files from the “WebServiceApplication” package (delivered from SecMaker AB) to an
optional directory path on the local server
(e.g. ‘C:\Program Files\Net iD Portal\WebServiceApplication’).
- Start the “Internet Information Services (IIS) Manager”.
- Add a new “Application Pool” with an optional name. Set the “.NET CLR version” to ‘4.0.30319’ and the
“Managed pipeline mode” to ‘Integrated’.
- Open “Advanced Settings” of the created application pool. Set the “Application Pool Identity” to either
‘ApplicationPoolIdentity’ as “Build-in account” or use a ‘custom account’ that already has been configured as a
service account in the environment. The service account is the physical account that need to access the other
necessary services of the environment (i.e. database and certificate service).
- Create a new “Virtual Directory” or “Web Site” and set the physical path to the extracted NiP-API path. Choose
the “Application Pool” and set an optional “Alias”.
- Test the NiP-API by browsing and download the WSDL file (i.e. http://server/api/servicesoap.svc?singlewsdl).
- If using NiP-API with SSL, open the web.Config file and modify the bindings
from:
<security mode="None"></security>
to:
<security mode="Transport">
<transport clientCredentialType="None"></transport>
</security>
8.2.3 NiP-GUI
- Extract the NiP-GUI files from package to an optional directory path on the local server
(e.g. ‘C:\Program Files\Net iD Portal\GUI’).
- Open the “config.js” file and set “backendUrl” to created service
(i.e. ‘http://server/api/servicesoap.svc’).
- Start the “Internet Information Services (IIS) Manager”.
21 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- Create a new “Virtual Directory” or “Web Site” and set the physical path to the extracted NiP-GUI path. Choose
the “Application Pool” and set an optional “Alias”.
- Test the NiP-GUI by browsing to the URL (i.e. ‘http://server/gui/index.html’).
8.3 Install and configure the database service
8.3.1 Microsoft SQL Server
- Start the setup wizard.
- Add the feature “Database Engine Services”.
- Add the feature “Management Tools – Basic”.
- Set the optional “Instance” name.
- Set the “Collation” mode to ‘SQL_Latin1_General_CP1_CI_AS’ (Windows-1252 or CP-1252 are the character
encodings).
- Set the “Authentication Mode” to use ‘Windows Authentication’ account only. The database needs the service
account that also will be used by the Application Pool described above.
8.3.2 Oracle MySQL
- Start the setup wizard.
- Add the feature: “MySQL Server”.
- Add the feature: “MySQL Workbench”.
- Set the “Collation” mode to ‘UTF8_GENERAL_CI’ with default character set as ‘UTF-8’.
8.4 Install and configure the certificate service
8.4.1 Microsoft Certificate Authority (MSCA)
- Start the “Server Manager” in Windows Sever operating system.
- Start the “Add Roles and Features” wizard.
- Add the “Active Directory Certificate Services” role including the sub role ‘Certification Authority’.
The MSCA can be configured in different ways depending on purpose. The two main instance types for MSCA are:
- Stand Alone CA
The Stand Alone CA has no external of extra calls when generating the end entity certificate. The Stand Alone
CA only sets the CA signature of the certificate request and issues the certificate. All information about the
information to be included in the end entity certificate needs to be included in the certificate request.
- Enterprise CA
The Enterprise CA is the most common usage type for MSCA.
The Enterprise CA has several certificate templates for generating end entity certificates more dynamically,
especially when issuing certificates to different kind of users and computers.
NiP-API supports both Stand Alone CA and Enterprise CA but also supports extensible enroll modes for both
instance types:
- Stamp
NiP-API creates the certificate request in PKCS#10 format containing all information about the certificate and
sends the request to the CA. The CA only makes the CA signature in the issuance process (stamp). This
scenario is very useful when issuing computer certificates.
- Modifier
NiP-API creates the certificate request in PKCS#10 format that only contains information about the end-entity.
The request is sent to the CA and NiP-API modifies the rest of the certificate extensions content for the
certificate that will be issued by the CA. This scenario is very useful when issuing certificates across domains
and services.
22 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- Microsoft Enrollment Agent (Microsoft Enterprise CA only)
NiP-API creates the certificate request containing information about the end entity and an enrollment agent in
CMC format and sends it to the CA. The CA looks up the end entity object in the Microsoft Active Directory and
issues the certificate to that object.
8.4.2 MSCA policy modifications
In some cases and scenarios, there must be some modifications done for the MSCA that overrides the default
settings. These modifications can be done with the “certutil.exe” (“Certificate Utility”) in Microsoft Windows platform.
The MSCA service must be restarted after policies or settings have been changed. The most common policies and
settings changes are:
- Type: RequestDisposition
Flags: REQDISP_ISSUE = 1, REQDISP_PENDINGFIRST = 256
Command: certutil -setreq policy\RequestDisposition %FLAGS%
Explanation: This command changes the policy of the request handling for the MSCA.
- Type: EnableRequestExtensionList
Flags: +%OID% (add extension) or -%OID% (remove extension)
Command: certutil -setreg policy\EnableRequestExtensionList +%OID%
Explanation: This command allows customized extensions in the issued certificate (i.e. ‘certutil -setreg
policy\EnableRequestExtensionList +1.3.6.1.5.5.7.1.3’ sets the “Qualified Certificate” extension
to be allowed in the request).
- Type: RequestExtensionList
Flags: +EDITF_REQUESTEXTENSIONLIST (add flag) or -EDITF_REQUESTEXTENSIONLIST (remove flag).
Command: certutil -setreq policy\EditFlags +EDITF_REQUESTEXTENSIONLIST
Explanation: This command allows customized extensions to be added into the issued certificate.
- Type: AttributeEndDate
Flags: +EDITF_ATTRIBUTEENDDATE (add flag) or -EDITF_ATTRIBUTEENDDATE (remove flag).
Command: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE
Explanation: This command allows to customize the validity period of the certificate template within its time
span, otherwise the validity of the issued certificate always will be validity specified in the certificate template
(Enterprise CA only).
- Type: BasicConstraintsCritical
Flags: +EDITF_BASICCONSTRAINTSCRITICAL (add flag) or -EDITF_BASICCONSTRAINTSCRITICAL
(remove flag).
Command: certutil -setreg policy\EditFlags +EDITF_BASICCONSTRAINTSCRITICAL
Explanation: This command sets the basic constraints as critical in the issued certificate.
- Type: AttributeSubjectAltName2
Flags: +EDITF_ATTRIBUTESUBJECTALTNAME2 (add flag) or -EDITF_ATTRIBUTESUBJECTALTNAME2
(remove flag).
Command: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Explanation: This command allows NiP-API to set the SubjectAlternativeName extension of the issued
certificate.
- Type: AllowRequestAttributeSubject
Flags: +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT (add flag) or
-CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT (remove flag).
Command: certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
Explanation: This command allows customized subject names (or OIDs) in the subject of the issued certificate.
23 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
- Type: SubjectTemplate
Flags: +%OID% (add subject name attribute) or -%OID% (remove subject name attribute).
Command: certutil -setreg ca\SubjectTemplate +%OID%
Explanation: This command allows customized subject name attributes in the subject of the issued certificate
(e.g. ‘certutil -setreg ca\SubjectTemplate +2.5.4.5’ sets the “SerialNumber” attribute to be
allowed in the subject).
- Type: RebuildModifiedSubjectOnly
Flags: +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY (add flag) or
-CRLF_REBUILD_MODIFIED_SUBJECT_ONLY (remove flag).
Command: certutil -setreg ca\CRLFlags +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY
Explanation: This command allows any custom OID in the subject of the issued certificate. There is no need to
modify the “SubjectTemplate” described above. Note that this only works when enrollment mode is set to
“Stamp” which means that all customized OIDs must be set in the certificate request. This will not work in
“Modifier” enrollment mode.
- Type: EnforceX500NameLengths
Flags: 1 (add flag) or 0 (remove flag).
Command: certutil -setreg ca\EnforceX500NameLengths 0
Explanation: This command allows values in the subject name attribute to be larger than 64 characters (default).
- Type: ValidityPeriod
Flags: %PERIODSTRING% (Years, Months, Hours, Minutes, Seconds).
Command: certutil -setreg ca\ValidityPeriod %PERIODSTRING%
Explanation: This command sets the maximum validity period of the issued certificate (i.e. ‘certutil -
setreg ca\ValidityPeriod Years’ sets the maximum validity period to years). Note that this is only
useful when using “Stand Alone CA” with enrollment mode as “Modifier”. This command has no effect on
“Enterprise CA” because the current certificate template overrides the validity maximum period.
- Type: ValidityPeriodUnits
Flags: %PERIODINTEGER%
Command: certutil -setreg ca\ValidityPeriodUnits %PERIODINTEGER%
Explanation: This command set the maximum validity period units of the issued certificate (i.e. ‘certutil -
setreg ca\ValidityPeriodUnits 2’ sets the maximum validity period units to “2” (i.e. 2 Years if used
with the example of “ValidityPeriod” above)). Note that this is only useful when using “Stand Alone CA” with
enrollment mode as “Modifier”. This command has no effect on “Enterprise CA” because the current certificate
template overrides the maximum validity period. Note that the maximum period units cannot override the validity
of the CA itself.
8.4.3 Setup MSCA as a Stand Alone CA and enrollment mode as Stamp:
- Set the CA instance as ‘stand-alone root CA’ or ‘subordinate CA’.
- Set the “CSP” as ‘RSA Microsoft Key Storage Provider’ (or ‘ECDSA Microsoft Key Storage Provider’ if using
ECC).
- Run the “Certificate Utility” command: certutil -setreq policy\RequestDisposition 1.
The CA will now automatically issue the certificate.
8.4.4 Setup MSCA as a Stand Alone CA and enrollment mode as Modifier:
- Set the CA instance as ‘stand-alone root CA’ or ‘subordinate CA’.
- Set the CSP as “RSA Microsoft Key Storage Provider” (or “ECDSA Microsoft Key Storage Provider” if using
ECC).
- Run the “Certificate Utility” command: certutil -setreq policy\RequestDisposition 257.
The CA will now set the request as pending before issuing the certificate.
24 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
8.4.5 Setup MSCA as an Enterprise CA and enrollment mode as Modifier:
- Set the CA instance as ‘Enterprise root CA’ or ‘subordinate CA’.
- Set the CSP as ‘RSA Microsoft Key Storage Provider’ (or ‘ECDSA Microsoft Key Storage Provider’ if using
ECC).
- Run the “Certificate Utility” command: certutil -setreq policy\RequestDisposition 257.
The CA will now set the request as pending before issuing the certificate.
- Open the “Certificate Authority” snap-in module.
- Right-click the “Certificate Templates” and choose “Manage”.
- Right-click the “User” template and choose the “Compability Settings” for the current environment.
- Set an optional “Template Display Name” and “Template Name” in the “General” tab. Make sure that “Publish in
Active Directory” property is disabled.
- Set the “Purpose” in the “Request Handling” tab. Disable the “Allow private key to be exported” property.
- Set the “CSP” and “KeyLength” in the “Cryptography” tab.
- Set “CA certificate manager approval” in the “Issuance Requirements” tab.
- Set “Supply in the request” in the “Subject Name” tab.
- Click “OK”.
- Right-click the “Certificate Templates” and choose “New” > “Certificate Template is issue”.
- Choose the template that just has been created.
- Close the snap-in module and restart the MSCA service.
8.4.6 Setup MSCA as an Enterprise CA and enrollment mode as EnrollmentAgent:
- Set the CA instance as ‘Enterprise root CA’ or ‘subordinate CA’.
- Set the CSP as ‘RSA Microsoft Key Storage Provider’ (or ‘ECDSA Microsoft Key Storage Provider’ if using
ECC).
- Open the “Certificate Authority” snap-in module.
- Right-click the “Certificate Templates” and choose “Manage”.
- Open “Enrollment Agent (Computer)” certificate template and open the “Security” tab.
- Add the server of the NiP-API (i.e. ‘webserver$’) and set “Read” and “Enroll” as permissions to this account.
- Click “OK”.
- Right-click the “Certificate Templates” and choose “New” > “Certificate Template is issue”.
- Choose the template “Enrollment Agent (Computer)”.
- Open the “Certificate” snap-in module on the server of the NiP-API.
- Open the “Personal” folder and right-click the “Certificates” > “All tasks” > “Request New Certificate”.
- Issue certificate from template “Enrollment Agent (Computer).
- Set the “Security Permissions” of the certificate (i.e. Computers and/or UserGroups).
8.4.7 Enterprise Java Beans Certificate Authority (EJBCA):
Please read the documentation on ejbca.org or contact Primekey for a professional installation of EJBCA.
- Install EJBCA.
- Setup the Certificate Authority.
- Create an administrator user that will be used as a web service user (i.e. ws-user) with correct privileges.
- Create a PKCS#12 file for the web service user and install the content of the PKCS#12 file on the current web
server.
- Set permission rights for the private key so it’s accessible by NiP-API service account.
- Set the web service user status to ‘Generated’ to ensure that no additional certificates can be enrolled by
mistake for this account.
- Test the EJBCA web service by browsing and download the WSDL file
(i.e. https://ejbca:8443/ejbca/ejbcaws/ejbcaws?wsdl).
For more information, how to setup an EJBCA, please read the documentation on the following link:
http://www.ejbca.org/.
25 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
9 Uninstall the application
9.1 About
This chapter will explain the NiP uninstall procedure.
9.2 Settings and dependencies
When uninstalling NiP, the current database together with some files and settings are still stored in the system, even if
the application has been uninstalled.
The settings that still are stored in the system are:
- [INTERNET INFORMATION SERVICE]\[Application Pools]\NiPAppPool
- [INTERNET INFORMATION SERVICE]\[WebSite or VirtualDirectory]
- [INTERNET INFORMATION SERVICE]\[WebSite or VirtualDirectory]EWS
The objects in Internet Information Service are stored in the system because of special settings in the IIS and will not
be automatically removed to facilitate upgrading of NiP.
9.3 Upgrading
When upgrading NiP, the current version of the application must first be uninstalled.
Use the current installation package from SecMaker AB:
1) Unzip the installation package file.
2) Stop the services “Net iD Portal Generic Service” and “Net iD Portal TimerService”.
3) IMPORTANT: Do not replace the following files when upgrading:
<Installation Directory>\WebServiceApplication\Web.config
<Installation Directory>\WebServiceExternal\Web.config
<Installation Directory>\GenericService\SecMaker.NiP.GS.exe.config
<Installation Directory>\TimerService\SecMaker.NiP.TS.exe.config
4) Replace the files in the installation folder with the new files obtained from SecMaker.
5) Run SecMaker.NiP.Commander.exe and choose command [1] and [6].
Follow the instructions to upgrade the database.
9.4 Complete uninstallation
Do the following steps to make a complete uninstall of NiP. Note that all settings and information about the users in NiP
will be erased!
1) Delete all files in the Net iD Portal directory.
2) Stop the windows services “Net iD Portal Generic Service” and “Net iD Portal Timer Service”.
3) Run powershell with administrative privilegies and type in the following command to uninstall the windows
services:
#####
$service1 = Get-WmiObject –Class Win32_Service –Filter “Name=’Net iD Portal Generic
Service’”
$service1.delete()
$service2 = Get-WmiObject –Class Win32_Service –Filter “Name=’Net iD Portal Timer Service’”
$service2.delete()
4) Delete the installation directory of NiP
(i.e. <Net iD Portal Installation Directory>\Net iD Portal\).
5) Open “Microsoft Internet Information Service”.
26 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
6) Delete the installed WebSites (or Virtual Directories) (i.e. ‘nip’ and ‘nipEWS’).
7) Go to the “Application Pools” in “Internet Information Service” and delete the ‘NiPAppPool’ object.
8) Close “Microsoft Internet Information Service”.
9) Open “Microsoft SQL Management Studio”.
10) Delete the current system database and log database (i.e. ‘NiPDB’, ‘NiPDB_log’, and ‘NiPDB_logClient’).
11) Expand “Security” tree and open “Logins” directory.
12) Delete the “NiPDBUser” service account.
13) Close “Microsoft SQL Management Studio”.
14) The NiP structure is now uninstalled from the system.
27 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
10 Troubleshooting
10.1 About
This chapter explains how to enable/disable different types of trace for Net iD Portal.
10.2 Trace: Net iD Enterprise
To enable trace for Net iD Enterprise PKI client, right-click the Net iD icon in Windows activity field > Trace > Enable. To
open the trace file, right-click the Net iD icon in Windows activity field > Trace > Open.
See the document “Net iD Enterprise Technical Description” for more information.
10.3 Trace: Net iD Portal with log4net extension
To enable trace for Net iD Portal, open the “web.Config” file and search for the <log4net></log4net> xml node. Change
the value of the xml attribute “threshold” to “All” (i.e. <log4net threshold="All">). Note that log4net traces all calls within
the process and can decrease the usability performance. To disable the log4net trace extension, change the “threshold”
value to “Off” (i.e. <log4net threshold="Off">).
10.4 Trace: Net iD Portal with Generic Service (Trace Server)
To enable trace for Net iD Portal without decreasing the performance, use the “Trace Server” applied in “Generic
Service”. Login to NiP and go to the “Administration” section. Use the “Settings” type and update the “Net iD Portal”
settings task. Change the value of the attribute “TraceSrvEnabled” to “1”, then click “Execute” to apply the changes. To
disable the Trace Server, change the value of the attribute “TraceSrvEnabled” to “0”.
10.5 Trace: Microsoft Internet Information Services Diagnostics
If NiP-API cannot be called, use the system diagnostics for Microsoft Internet Information Services. Open the
“web.Config” file and search for the <system.dianostics></system.diagnostics> xml node. Change the value of the xml
attribute “switchValue” of the “source name” element to “All” (i.e. <source name="System.ServiceModel"
switchValue="All">). To disable the diagnostics trace, change the value to “Off” (i.e. <source
name="System.ServiceModel" switchValue="Off">).
10.6 Error codes and messages
This section lists the error codes from NiP. There are error codes related to the login process, the NiP-GUI (client side)
and NiP-API (server side).
All texts for error messages can be customized if it is wanted to add or change the message given to the users for a
specific error code.
10.6.1 Login and session
Error messages from login and session handling when not logged in.
Error string Error text shown in GUI (English/Swedish)
errorNoRolesAvailable The login was successful but there are no services available that you have the authorization to use.
Inloggningen lyckades men det finns inga tjänster tillgängliga som du är behörig att använda.
errorNoSuitableTokenAvailable There is no suitable smart card present.
Det finns inget passande kort tillgängligt.
28 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
errorPoliciesNotFullFilled The policy for the content of the input field has not been fulfilled. Please make corrections and try again.
Regelverket för vad fältet får innehålla är inte uppfyllt. Korrigera innehållet och försök igen.
errorSessionExpired Your session has expired since you have been inactive for too long. Please login again.
Du har varit inaktiv för länge så din session är inte längre giltig. Logga in på nytt.
10.6.2 NiP-GUI (client side)
Error messages from NiP-GUI on client side.
Error code
Error string Error text shown in GUI (English/Swedish)
CLT001 CKR_CLIENT_MISSING The client software used for local calls is missing. Please check your installation.
Klientprogramvaran som används för lokala anrop saknas. Kontrollera din installation.
CLT002 CKR_CLIENT_ACCESS_DENIED The client software used for local calls has stopped the communication with the server. Please check the security settings for 'allowed servers'.
Klientprogramvaran som används för lokala anrop har stoppat kommunikationen med servern. Kontrollera inställningen för tillåtna värddatorer (allowed servers).
10.6.3 NiP-API (server side)
Error messages from NiP-API at server side.
General error messages
Error code
Error string Error text shown in GUI (English/Swedish)
NPR001 NPR_ACCESS_DENIED Access denied. Authorization to access the system is missing.
Autentisering misslyckades. Behörighet till systemet saknas.
NPR002 NPR_ARGUMENT_INVALID Argument is invalid.
Argumentet är ogiltigt.
NPR003 NPR_ARGUMENT_MISSING Argument is missing.
Argument saknas.
NPR004 NPR_DATA_INVALID Data is invalid.
Data är ogiltigt.
NPR005 NPR_DATA_NOT_FOUND Data cannot be found.
Kunde ej hitta data.
NPR006 NPR_FAILED Failed with the action.
Åtgärden misslyckades.
NPR007 NPR_FORM_NOT_FOUND The form was not found.
Kunde ej hitta formuläret.
NPR008 NPR_IMG_INVALID The image is invalid. Please check that the size is within the min/max values for an image or that other policies are followed.
Fotot är ogiltigt. Kontrollera att det håller sig inom giltiga min/max-storlekar.
NPR009 NPR_LOGIN_FAILED Failed to login.
Inloggning misslyckades.
29 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
NPR010 NPR_PROTECTED_DATA Protected data.
Förändringsskyddad data.
NPR011 NPR_SECURITY_CODE_ POLICY_MISMATCH
The characters in the password do not fulfill the password policy. Please choose another password and try again.
Regelverket för vilka tecken som säkerhetskoden får innehålla är inte uppfyllt. Korrigera innehållet och försök igen.
NPR012 NPR_SESSION_EXPIRED You have been inactive for too long and your session has expired. Please login again.
Du har varit inaktiv för länge så din session är inte längre giltig. Logga in på nytt.
Error messages related to Token and Certificate management
Error code
Error string Error text shown in GUI (English/Swedish)
NPR101 NPR_CRT_INVALID The certificate is invalid.
Certifikatet är ogiltigt.
NPR102 NPR_CRT_REQUEST_INVALID The certificate request is invalid.
Certifikatbegäran är ogiltig.
NPR103 NPR_ENROLLMENT_FAILED Enrollment of the token failed.
Utfärdande av enhet misslyckades.
NPR104 NPR_TKN_ALREADY_EXISTS The token already exists.
Enheten finns redan i systemet.
NPR105 NPR_TKN_NOT_BOUNDED_TO_USER The token is not bound to a user.
Enheten är inte knuten till någon användare.
NPR106 NPR_TKN_NOT_FOUND The token was not found.
Kunde inte hitta enheten.
NPR107 NPR_TKN_TEMPLATE_NOT_FOUND The token template was not found.
Kunde inte hitta enhetsmallen.
NPR108 NPR_UNLOCK_TKN_FAILED Failed to unlock the token.
Misslyckades med att låsa upp enheten.
NPR109 NPR_USER_TKN_BIND_FAILED Failed to bind token to the user.
Misslyckades att knyta enheten till användaren.
NPR110 NPR_TKN_INVALID The validity period of the token has expired and it cannot be used any more.
Giltighetstiden för enheten har gått ut och den kan inte längre användas för utfärdande.
Error messages related to User management
Error code
Error string Error text shown in GUI (English/Swedish)
NPR201 NPR_USER_ALREADY_EXISTS The user already exists in the system.
Användaren finns redan i systemet.
NPR202 NPR_USER_HAS_BOUNDED_ TKNS
There are tokens bound to the user.
Användaren har enheter knutna till sig.
NPR203 NPR_USER_HAS_BOUNDED_ TKNS_TO_BE_REVOKED
There are tokens bound to the user that needs to be revoked.
Användaren har enheter knutna till sig som behöver spärras.
NPR204 NPR_USER_INVALID The user is invalid.
Användaren är ogiltig.
NPR205 NPR_USER_NOT_FOUND The user was not found.
Kunde inte hitta användaren.
NPR206 NPR_USER_UPDATE_FAILED Failed to update the user information.
Misslyckades med att uppdatera information om användaren.
30 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
Error messages related to Task management
Error code
Error string Error text shown in GUI (English/Swedish)
NPR301 NPR_TASK_ACTION_NOT_FOUND The task action was not found.
Kunde inte hitta delmomentet för ärendet.
NPR302 NPR_TASK_ACTION_SIGN_FAILED Failed to sign the task action.
Signering av ärendet misslyckades.
NPR303 NPR_TASK_ALREADY_EXECUTED The task has already been executed.
Ärendet har redan slutförts.
NPR304 NPR_TASK_CREATED The task has been created.
Ärende skapat.
NPR305 NPR_TASK_FAILED Failed to execute the task.
Misslyckades utföra ärendet.
NPR306 NPR_TASK_IN_PROGRESS The task is in progress.
Ärendet bearbetas.
NPR307 NPR_TASK_NOT_FOUND The task was not found.
Kunde inte hitta ärendet.
NPR308 NPR_TASK_DELEGATED The task has been successfully delegated to another officer. Your part of the task has been completed.
Ärendet har delegerats vidare till en annan handläggare. Dina steg i processen är avklarade.
NPR309 NPR_TASK_ALREADY_EXISTS A task already exists for the object chosen.
Det finns redan ett pågående ärende för samma objekt.
Error messages related to external services
At situations when there are problems with an external service that is connected to NiP, the error messages from the
service will be included in the error message from NiP. The information reported from the service will be in the same
words and language as reported to NiP. Possible error messaged from connected services are not listed here but have
to be found in the documentation of each service.
Error code
Error string Error text shown in GUI (English/Swedish)
NPR901 NPR_CA_ERROR A problem with the certificate authority service occured. Please contact your system administrator.
Fel i certifikatutfärdandetjänsten. Kontakta systemadministratören för åtgärd.
NPR902 NPR_DATABASE_ERROR Database error. Please contact your system administrator.
Fel i databastjänsten. Kontakta systemadministratören för åtgärd.
NPR903 NPR_MSG_SRV_INIT_FAILED Failed to initialize the messaging service. Please contact your system administrator.
Fel i meddelandetjänsten. Kontakta systemadministratören för åtgärd.
NPR904 NPR_MSG_SRV_NOT_FOUND The messaging service was not found. Please contact your system administrator.
Saknar åtkomst till meddelandetjänsten. Kontakta systemadministratören för åtgärd.
NPR905 NPR_NAVET_ERROR Error in the Navet service. Please contact your system administrator.
Fel i Navet-tjänsten. Kontakta systemadministratören för åtgärd.
NPR906 NPR_NAVET_UNREG_PERSON The person is missing in Navet. Please check that the correct Swedish 'personnummer/samordningsnummer' has been entered.
Personen saknas i Navet. Kontrollera att rätt personnummer/samordningsnummer angetts.
31 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
11 Status information
11.1 About
This chapter contains tables with status codes and texts for Token status, Task status and Order Status.
All texts for status information can be customized if it is wanted to add or change the text for a specific status.
11.2 Token status
The table below is the translation table for Token status that can be shown for active and/or historical token.
Token status code
Text name Status shown in GUI (English) Status shown in GUI (Swedish)
0 Unspecified Not specified Oregistrerad
1 Unused Not used Ej använd
2 Active Active Aktiv
3 WaitForExternalObject Waiting for external object Väntar på externt objekt
4 WaitForDistribution Waiting for distribution Väntar på att skickas
5 Blocked Blocked Spärrad
6 Retired Retired Tagen ur bruk
7 Expired Expired Utgången
11.3 Task status
The table below is the translation table for Task status that can be shown for tasks in the task lists of the GUI.
Task Status text string Status shown in GUI (English) Status shown in GUI (Swedish)
orderState_Blocked Blocked Spärrad
orderState_CertificateRetrieved Certificate issued Certifikat hämtat
orderState_Delivered Delivered Levererad
orderState_Delivery Delivery Leverans
orderState_Disaster Serious fault Allvarligt fel
orderState_Error Error Fel
orderState_InProduction In production Produktion påbörjad
orderState_OrderReceived Order received Order mottagen
orderState_ReadyToBeResent Ready to be resent Redo att skickas igen
orderState_ReadyToBeSent Ready to be sent Redo att skickas
orderState_Sent Sent Skickad
orderState_TokenPrinted Token printed Enhet visuellt personaliserad
orderState_TokenReady Token ready Enhet redo
orderState_TokenSentWaitForPin Token sent, waiting for PUK Enhet skickad, väntar på PUK
orderState_Unknown Unknown Okänt
orderState_Unsigned Unsigned Ej underskriven
state_Cancelled Cancelled Avbrutet
state_Done Done Klart
state_InProgress In progress, locked Pågående, låst
state_NotReady In progress Pågående
state_TimedOut Tomed out Utgånget
state_Wait Waiting Väntar
32 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
11.4 GemaltoProductionStatus, Kunddatafil
The following table shows the production order status messages that are delivered from Gemalto and the translation to
NiP status codes.
Gemalto Order Status in "Kunddatafil" NiP status code translation
DATA INPUT 510 (OrderReceived)
ASCII-DATA LOADED 510 (OrderReceived)
ASCII-DATA ACCEPTED, IMAGES TO BE LOADED 510 (OrderReceived)
ORDER RECIEVED 510 (OrderReceived)
IMAGE EXISTS, DATA DOES NOT 510 (OrderReceived)
DATA EXISTS, IMAGE DOES NOT 510 (OrderReceived)
SPAR QUERY DONE, IMAGESCANNING NEEDED 510 (OrderReceived)
SPAR QUERY SENDED 510 (OrderReceived)
SPAR QUERY RECIEVED 510 (OrderReceived)
WAITING FOR NEW SPAR 510 (OrderReceived)
INTYG CONTROL 510 (OrderReceived)
INTYG WAIT 510 (OrderReceived)
READY FOR PRODUCTION 520 (InProduction)
WORK ORDER NUMBER CREATION 520 (InProduction)
IMAGE BACKGROUND REMOVAL 520 (InProduction)
READY TO PRODUCTION 520 (InProduction)
PRODUCTION 520 (InProduction)
PICKED TO PRODUCTION 520 (InProduction)
SET GENERATED 520 (InProduction)
BATCH EXTRACTED 520 (InProduction)
WORK FILES CREATED 520 (InProduction)
READY FOR LASER-PRINTING 520 (InProduction)
PRINTED 521 (TokenPrinted)
WAITING FOR QUALITY CONTROL 520 (InProduction)
IN QUALITY CONTROL 520 (InProduction)
Security calculation request needed 520 (InProduction)
Security calculation to be read 520 (InProduction)
Security calculation results read 520 (InProduction)
READY FOR CERTIFICATE REQUEST 520 (InProduction)
SECONT CERT TO BE READ 520 (InProduction)
THIRD CERT TO BE READ 520 (InProduction)
CERTIFICATE REQUEST SEND 520 (InProduction)
CERTIFICATE ANSWER RECIEVED 522 (CertificateRetrieved)
CHIP-DATA EXTRACTED 520 (InProduction)
CERTIFICATE UPDATED TO DATABASE 520 (InProduction)
PICKED TO FINALIZATION 520 (InProduction)
IN REMOTE CHIP PERSONALIZATION 520 (InProduction)
REMOTE CHIP PERSONALIZATION DONE 520 (InProduction)
NON SIDOP PERSONALIZATION 520 (InProduction)
PRODUCT READY 523 (TokenReady)
POST HANDLING 530 (Delivery)
TO BE PACKED 530 (Delivery)
PACKED 530 (Delivery)
PRODUCTION LIST TO BE PRINTED 530 (Delivery)
33 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
PRODUCTION LIST PRINTED, NOT CHECKED 540 (Delivered)
PIN-LETTER WAIT 531 (TokenSentWaitForPin)
PIN-LETTER PRINTED 540 (Delivered)
NOTE-LETTER WAIT 540 (Delivered)
NOTE-LETTER PRINTED 540 (Delivered)
READY 540 (Delivered)
DELIVERIED 540 (Delivered)
ERROR 600 (Error)
ORDER IS TO BE CHECKED 600 (Error)
ERROR, WAITING CUSTOMER ANSWER 600 (Error)
CUSTOMER RETURN WAITING FOR COVERING LETTER PRINTING 600 (Error)
RETURNED TO CUSTOMER, TO BE REPORTED 600 (Error)
ERROR RETURN TO CUSTOMER 600 (Error)
default 0 (Unknown)
11.5 NiP translations GemaltoProductionStatus
The NiP status codes for Gemalto production status messages have the following translations.
Status code Text name Status shown in GUI (English) Status shown in GUI (Swedish)
0 Unknown Unknown Okänt
510 OrderReceived Order received Order mottagen
520 InProduction In production Produktion påbörjad
521 TokenPrinted Token printed Enhet visuellt personaliserad
522 CertificateRetrieved Certificate Issued Certifikat hämtat
523 TokenReady Token ready Enhet redo
530 Delivery Delivery Leverans
531 TokenSentWaitForPin Token sent, waiting for PUK Enhet skickad, väntar på PUK
540 Delivered Delivered Levererad
550 Blocked Blocked Spärrad
600 Error Error Fel
34 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
12 Changes from earlier versions
Brief information regarding changes in the documentation from earlier versions of NiP.
For more detailed information, see each section.
12.1 Changes between v5.0 and v5.1
The changes between v5.0 and v5.1 are so many, due to the implementation of dynamic tasks, that the v5.1 of the
Technical Description shall be considered as a completely new document.
12.2 NiP v5.0
The first version of NiP v5 Technical Description and hence there are no changes since earlier versions.
35 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13
Copyright 2017 © SecMaker AB
13 NiP documentation
NiP Administrator’s Guide User Guide intended for NiP Administrators making configurations for
the NiP application. The document describes the configurations and
the implications of the different options.
NiP API Information Provides information regarding the API’s for NiP. The document is
intended for technicians, testers and developers of NiP.
NiP Database documentation Database dump for the primarily database of NiP. The information is
primarily intended for database administrators.
NiP Database_log documentation Database dump for the log database of NiP. The information is
primarily intended for database administrators.
NiP Handläggar- och NiP Officer and End User User’s Guides in Swedish. The first version
Slutanvändarhandledning of this document will be written for v5.2.
NiP Installation Guide Provides information regarding how to make a basic installation of the
application NiP and the necessary prerequisites. The Installation Guide
is primarily intended for technicians responsible for, or involved in,
installation of NiP.
NiP Officer and End User User’s Guide User Guide intended for NiP Officers managing smart cards, devices,
certificates and users. The end user part is included to give the officers
information regarding the self-service interfaces used by the end users.
The first version of this document will be written for v5.2.
NiP Release Notes Release Notes for NiP in txt format.User Guide intended for NiP
NiP XML configuration Provides examples of how to configure XML formatted configurations
in NiP. The document is intended for technicians responsible for, or
involved in, configuration of NiP.
top related