net id portal technical desciption - secmaker

Confidentiality: Public

Net iD Portal Technical Description v5.1

Net iD Portal - Technical Description v5.1

Copyright 2017 © SecMaker AB

Confidentiality: Public

Document no: SMP-NiP16-04

Date: 2017-03-13

Document no: SMP-NiCP16-03

2 / 35 Net iD Portal - Technical Description v5.1 Date: 2017-03-13

Copyright 2017 © SecMaker AB Confidentiality: Public

Content

1 Introduction....................................................................................................................................... 4 1.1 About this document .............................................................................................................................................. 4 1.2 Who should read this document ............................................................................................................................. 4 1.3 Feedback and support ........................................................................................................................................... 4 1.4 Contact information ................................................................................................................................................ 4 1.5 Additional technical documents .............................................................................................................................. 4

2 What is Net iD Portal? ....................................................................................................................... 5 2.1 NiP-API .................................................................................................................................................................. 5 2.2 NiP-GUI .................................................................................................................................................................. 6 2.3 Release life cycle ................................................................................................................................................... 6

3 Standards and algorithms .................................................................................................................. 7 3.1 Date and time ......................................................................................................................................................... 7 3.2 Public key algorithm ............................................................................................................................................... 7 3.3 Digital signature ..................................................................................................................................................... 7 3.4 Encryption algorithm .............................................................................................................................................. 7 3.5 Hash algorithm ....................................................................................................................................................... 7

4 Service requirements ........................................................................................................................ 8 4.1 About ...................................................................................................................................................................... 8 4.2 Web service ........................................................................................................................................................... 8 4.3 Database service ................................................................................................................................................... 8 4.4 Certificate service................................................................................................................................................... 9

5 Additional services ........................................................................................................................... 10 5.1 About .................................................................................................................................................................... 10 5.2 Directory service: Microsoft Active Directory (MSAD DS) .................................................................................... 10 5.3 Directory service: Microsoft Active Directory Lightweight Directory Services (MSAD LDS) ................................. 10 5.4 National Citizen Register service: Swedish Tax Agency Navet (Navet) ............................................................... 10

6 Architecture of Net iD Portal ............................................................................................................. 11 6.1 About .................................................................................................................................................................... 11 6.2 NiE (Net iD Enterprise) ......................................................................................................................................... 11 6.3 NiP-GUI (Net iD Portal Graphical User Interface) ................................................................................................ 11 6.4 NiP-API (Net iD Portal Application Programming Interface) ................................................................................. 11 6.5 NiP-GS (Net iD Portal Generic Service) ............................................................................................................... 12 6.6 NiP-TS (Net iD Portal Timer Service) ................................................................................................................... 12 6.7 Database .............................................................................................................................................................. 13 6.8 Database collations .............................................................................................................................................. 13 6.9 Database constraints ........................................................................................................................................... 13 6.10 Database tables ................................................................................................................................................... 13 6.11 Database documentation ..................................................................................................................................... 17 6.12 Files: NiP-GUI ...................................................................................................................................................... 17 6.13 Files: NiP-API ....................................................................................................................................................... 17 6.14 Files: NiP-GS ....................................................................................................................................................... 18 6.15 Files: NiP-TS ........................................................................................................................................................ 18

7 Ports and protocols .......................................................................................................................... 19 7.1 About .................................................................................................................................................................... 19 7.2 Web service: Microsoft Internet Information Services .......................................................................................... 19 7.3 Database service: MS SQL Server ...................................................................................................................... 19 7.4 Certificate service: Microsoft Certificate Authority ................................................................................................ 19 7.5 Certificate service: EJBCA ................................................................................................................................... 19

8 Installation and configuration ............................................................................................................ 20 8.1 About .................................................................................................................................................................... 20




8.2 Install and configure the web service ................................................................................................................... 20 8.2.1 Server role ........................................................................................................................................................... 20

8.2.2 NiP-API ................................................................................................................................................................ 20

8.2.3 NiP-GUI ................................................................................................................................................................ 20

8.3 Install and configure the database service ........................................................................................................... 21 8.3.1 Microsoft SQL Server ........................................................................................................................................... 21

8.3.2 Oracle MySQL ..................................................................................................................................................... 21

8.4 Install and configure the certificate service .......................................................................................................... 21 8.4.1 Microsoft Certificate Authority (MSCA) ................................................................................................................. 21

8.4.2 MSCA policy modifications ................................................................................................................................... 22

8.4.3 Setup MSCA as a Stand Alone CA and enrollment mode as Stamp: .................................................................. 23

8.4.4 Setup MSCA as a Stand Alone CA and enrollment mode as Modifier: ................................................................ 23

8.4.5 Setup MSCA as an Enterprise CA and enrollment mode as Modifier: ................................................................. 24

8.4.6 Setup MSCA as an Enterprise CA and enrollment mode as EnrollmentAgent: .................................................... 24

8.4.7 Enterprise Java Beans Certificate Authority (EJBCA): ......................................................................................... 24

9 Uninstall the application ................................................................................................................... 25 9.1 About .................................................................................................................................................................... 25 9.2 Settings and dependencies .................................................................................................................................. 25 9.3 Upgrading ............................................................................................................................................................ 25 9.4 Complete uninstallation ........................................................................................................................................ 25

10 Troubleshooting ............................................................................................................................... 27 10.1 About .................................................................................................................................................................... 27 10.2 Trace: Net iD Enterprise ....................................................................................................................................... 27 10.3 Trace: Net iD Portal with log4net extension ......................................................................................................... 27 10.4 Trace: Net iD Portal with Generic Service (Trace Server) .................................................................................... 27 10.5 Trace: Microsoft Internet Information Services Diagnostics ................................................................................. 27 10.6 Error codes and messages .................................................................................................................................. 27 10.6.1 Login and session ................................................................................................................................................ 27

10.6.2 NiP-GUI (client side) ............................................................................................................................................ 28

10.6.3 NiP-API (server side) ........................................................................................................................................... 28

11 Status information ............................................................................................................................ 31 11.1 About .................................................................................................................................................................... 31 11.2 Token status ........................................................................................................................................................ 31 11.3 Task status ........................................................................................................................................................... 31 11.4 GemaltoProductionStatus, Kunddatafil ................................................................................................................ 32 11.5 NiP translations GemaltoProductionStatus .......................................................................................................... 33

12 Changes from earlier versions .......................................................................................................... 34 12.1 Changes between v5.0 and v5.1 .......................................................................................................................... 34 12.2 NiP v5.0 ............................................................................................................................................................... 34

13 NiP documentation ........................................................................................................................... 35




1 Introduction

1.1 About this document

This document provides detailed technical information for the application Net iD Portal version 5.1.

1.2 Who should read this document

The document is written primarily for technicians responsible for, or involved in, installation and configuration of Net iD

Portal, henceforth called NiP in this document.

1.3 Feedback and support

Please forward your comments and problem reports to the following e-mail addresses:

Any problems with the documentation should be reported by sending an e-mail to:

[email protected]

Any other feedback may be reported by sending an e-mail to:

[email protected]

If you are a SecMaker customer with a Net iD Support Agreement, you may also can register tickets in our support

system. Please visit https://support.secmaker.com for more information.

1.4 Contact information

SecMaker AB

Phone: +46 (0) 8 – 6012300

E-mail: [email protected]

Web: www.secmaker.com

1.5 Additional technical documents

In case there are some additional services or processes that are described in other documentation, you will find this

icon in the document.

You can order technical documents through SecMaker’s website.

Visit www.secmaker.com > Partners > Developers > Technical manual.

https://www.secmaker.com/partners/developer/



2 What is Net iD Portal?

Net iD Portal (NiP) is a life-cycle management application from SecMaker that simplifies the management of smart cards,

devices, certificates, and users for an organization.

Net iD Portal (NiP) is an application from SecMaker that simplifies the lifecycle management of tokens containing

certificates and keys (i.e. smart cards, USB tokens, devices, …). NiP gives an overview of and makes it possible to

manage tokens for different end entities, for example users and servers, like issuance and revocation of tokens. NiP

handles the complete chain between users, tokens, keys, and certificates.

NiP interconnects the certificate service and database service in the organizational infrastructure.

Administrators, officers and end Users have web GUIs where they can get access to the NiP features that they have

been given permission to use. As an example an officer can access the NiP Officer GUI and manage end user smart

cards and certificates e.g. for logon authentication to the organizations network and applications and/or

signing/encrypting documents.

The architecture of NiP consists of a NiP-API and normally a NiP-GUI. The NiP-GUI interacts with the NiP-API and

becomes a web portal that can be used with a web browser.

Below is a reference design for installing NiP in your environment. NiP can be installed in different server architectures

depending on the demands for high availability.

In this document, the requirements and configurations of the server environment are explained.

Please read the “Required services” chapter below and check that NiP supports the current environment of the

organization.

2.1 NiP-API

NiP-API (also called back-end) is a web service API that provides the requestor with information through Hypertext

Transfer Protocol. The web service supports the following architectures:

- SOAP 1.1/1.2

- REST

See the chapter “Architecture of Net iD Portal” for more information about the interface.



2.2 NiP-GUI

NiP-GUI (also called front-end) is a Graphical User Interface containing the graphic layout, handler for the NiP-API and

architecture for the client. NiP-GUI can be stored on a local client computer or a web server.

See the chapter “Architecture of Net iD Portal” for more information.

2.3 Release life cycle

As in most software lifecycles, there is a release lifecycle that refers to the different phases of the development process

and maturity of the software versions. The phases of the release lifecycle of NiP that may or will be made available to

customers are:

- BETA

The phase is known as beta-release and will only be available externally for temporary tests of new or

customized features ordered by a customer.

NOTE: It will not be possible to upgrade beta-releases to other releases.

Beta-releases shall not be used in production and is not supported as a part of SecMaker support service.

- RC (Release Candidate)

The phase is known as release-candidate and refers to a version of NiP with potential to be a final release.

A RC release may be made available for customers that needs to test new functionality of NiP before the FRC

or GA releases. The RC release can be upgraded to the FRC and GA releases.

NOTE: RC releases shall not be used in production and is not supported as a part of SecMaker support service.

- FRC (Final Release Candidate)

The phase FRC is used to test the new version at customers’ production sites to find possible “real life” issues

that have not been found during the release testing at SecMaker. The release has gone through complete

release testing at SecMaker and is considered as good as a GA release.

The FRC is normally released four weeks before the GA release.

NOTE: FRC releases may be used in production and is supported as a part of SecMaker support service.

The FRC must however be updated to the GA release when available.

- GA (General Availability)

The phase is also known as the term “release to manufacturing” and is the public final release version.



3 Standards and algorithms

3.1 Date and time

Date and time are always formatted as ISO 8601 by NiP-API.

The syntax for date is:

- {YYYY}-{MM}-{DD} (e.g. 2016-01-22)

The syntax for time is:

- {HH}:{MM}:{SS} (e.g. 08:45:50)

The syntax for date time is:

- {YYYY}-{MM}-{DD} {HH}:{MM}:{SS} (e.g. 2016-01-22 08:45:50)

3.2 Public key algorithm

Public key algorithms supported by NiP-API are:

- DSA

- RSA

- ECC*

* ECC has been implemented but is not fully supported.

3.3 Digital signature

Digital signature standards supported by NiP-API are:

- PKCS#7

- XMLDSIG

- RSARAW

3.4 Encryption algorithm

Encryption algorithms supported by NiP-API are:

- 3DES (192)

- AES (128, 192, 256)

3.5 Hash algorithm

Hash algorithms (also known as digest) supported by NiP-API are:

- SHA1

- SHA256

- SHA384

- SHA512

- SHA1-HMAC

- SHA256-HMAC

- SHA384-HMAC

- SHA512-HMAC



4 Service requirements

4.1 About

In this chapter you will find all the requirements that will be needed to correctly install and run NiP-API. The services that

will be needed for the NiP-API are:

- Web service

- Database service

- Certificate service

4.2 Web service

NiP-API must be installed on a web server included in the environment hierarchy.

The following service has to be installed on the web server:

- Microsoft Internet Information Services.

The following platforms can be used as a web server (Microsoft Internet Information Services is included in all platforms):

- Microsoft Windows Server 2008 R2, Standard

- Microsoft Windows Server 2008 R2, Enterprise

- Microsoft Windows Server 2012, Standard

- Microsoft Windows Server 2012 R2, Standard

- Microsoft Windows Server 2016, Standard *

- Microsoft Windows Server 2016, Datacenter *

* Support for Windows Server 2016 will be available in NiP v5.2.

NiP-API requires that one of the following .NET framework is installed on the web server (.NET Framework can be

downloaded from the Microsoft.com web page):

- Microsoft .NET Framework 4.5

- Microsoft .NET Framework 4.5.1

Note that .NET Framework 4.5 already is available in Windows Server 2012 (4.5.1 for Windows Server 2012

R2) and does not need to be downloaded separetely.

4.3 Database service

NiP-API requires two databases to store, access and log all information and settings in the application.

NiP-API supports the following database services with latest service packs:

- Microsoft SQL Server 2008 R2, Express

- Microsoft SQL Server 2008 R2, Standard

- Microsoft SQL Server 2008 R2, Enterprise

- Microsoft SQL Server 2012, Express

- Microsoft SQL Server 2012, Standard

- Microsoft SQL Server 2012, Enterprise







- MySQL Server 5.6



Microsoft SQL Server can be installed on any Windows Server platform. Oracle MySQL server can be installed on any

Windows Server platform or Linux SUSE.

4.4 Certificate service

NiP-API support the following certificate services (known as CA (Certificate Authority)):

- Microsoft Certificate Authority (MSCA)

- PrimeKey Enterprise Java Beans Certificate Authority (EJBCA)

- NiP Internal CA (NiP-CA) *

* NiP-CA is an internal CA for test and development purpose only and is not supported.

The CA’s can be installed on the following platforms:

- Microsoft Windows Server 2008 R2, Standard (MSCA)

- Microsoft Windows Server 2008 R2, Enterprise (MSCA)

- Microsoft Windows Server 2012, Standard (MSCA)

- Microsoft Windows Server 2012 R2, Standard (MSCA)

- Microsoft Windows Server 2016, Standard (MSCA) *

- Microsoft Windows Server 2016, Datacenter (MSCA) *

- Linux SUSE (EJBCA)

- Linux Ubuntu 16 (EJBCA)

* Support for Windows Server 2016 will be available in NiP v5.2.



5 Additional services

5.1 About

In this chapter you will find all the additional services that are supported by the NiP-API:

- Directory service: Microsoft Active Directory Domain Services (MSAD DS)

- Directory service: Microsoft Active Directory Lightweight Directory Services (MSAD LDS)

- National Citizen Register service: Swedish Tax Agency Navet (Navet)

5.2 Directory service: Microsoft Active Directory (MSAD DS)

MSAD DS can be used when getting users from current environment. NiP-API will use the Lightweight Directory Access

Protocol (LDAP) for access of the user object. It’s possible to store a user from current environment into NiP system

database.

5.3 Directory service: Microsoft Active Directory Lightweight Directory Services (MSAD LDS)

MSAD LDS can be used when getting users from current environment. NiP-API will use the Lightweight Directory Access

Protocol (LDAP) for access of the user object. It’s possible to store a user from current environment into the NiP system

database.

5.4 National Citizen Register service: Swedish Tax Agency Navet (Navet)

The Swedish Citizen Register Navet can be used when creating users based on Swedish “personnummer” (citizen id

number). The Navet service is provided by the Swedish Tax Agency (Skatteverket) and a subscription is needed to use

the service. It’s possible to store a user from Navet into the NiP system database.



6 Architecture of Net iD Portal

6.1 About

The architecture of NiP consists of several services. The required services are:

- NiE (Net iD Enterprise)

- NiP-GUI (Net iD Portal Graphical User Interface)

- NiP-API (Net iD Portal Application Programming Interface)

- NiP-GS (Net iD Portal Generic Service)

- NiP-TS (Net iD Portal Timer Service)

- Database

- Files

6.2 NiE (Net iD Enterprise)

NiE is a PKI client, provided by SecMaker, that needs to be installed on the local client. NiE handles all the architecture

of local tokens, smart card readers and local libraries.

See the document “Net iD Enterprise Technical Description” for more information.

6.3 NiP-GUI (Net iD Portal Graphical User Interface)

NiP-GUI contains all the structures that can be used by the default web browser. NiP-GUI contains the graphical design

pack, front-end architecture and structure that are interacting with NiE. NiP-GUI can be used on a web server of in the

environment or the local workstation. NiP-GUI requires NiE to be installed locally on the client.

6.4 NiP-API (Net iD Portal Application Programming Interface)

NiP-API is a web service that contains all the structure and interfaces connecting to the services on server side.

NiP-API contains two main web services:

- Application

The purpose of the application service is to provide the NiP-GUI with a server application interface.

- External

The purpose of the external service is to provide third party vendors with a server application interface against

NiP.

The interfaces of the application and external services are:

- ServiceSoap.svc

Simple Object Access Protocol (SOAP) specification of the interface formatted as Extensible Markup Language

(XML). ServiceSoap.svc uses BasicHttpBinding and all object types are formatted in PascalCase.

- ServiceRestJson.svc

Representational State Transfer (REST) specification of the interface formatted as JavaScript Object Notation

(JSON). ServiceRestJson.svc uses WebHttpBinding and all object types are formatted in PascalCase.

- ServiceRestXml.svc

Representational State Transfer (REST) specification of the interface formatted as Extensible Markup Language

(XML). ServiceRestXml.svc usrs WebHttpBinding and all object types are formatted in PascalCase.



See the document “Net iD Portal API Description” for more information about all operations within the interface.

6.5 NiP-GS (Net iD Portal Generic Service)

NiP-GS is a Windows Service application running beside the web service on the local server. The purpose of NiP-GS is

to relieve big and continuous data structures from the services. NiP-GS runs as the basic/mex HTTP protocol with port

61236 as default. NiP-GS has two modules that runs automatically at startup:

- TraceServer

The module receives trace calls asynchronously from the trace structure of the services and saves the traces to

local file.

- Log

The module receives log entry calls asynchronously from the services and store the entries into the database.

6.6 NiP-TS (Net iD Portal Timer Service)

NiP-TS is a Windows Service application running beside the web service on the local server. The purpose of NiP-TS is to

running as a background process against NiP. The settings can be modified through the “Administration” section of the

portal.

NiP-TS runs as the basic/mex HTTP protocol with port 61234 as default. NiP-TS has several modules that can be started

in different time intervals. The modules are:

- Monitor

The module monitors the system through different kind of tasks. The module runs each 10 minute as default

and checks for scheduled works in the NiP system. The tasks are:

- Automatically logout of inactive users.

- Notification of certificates that are going to expire.

- Release of inactive tasks.

- Deletion of expired tasks.

- Status updates for certificates.

- Status updates for tokens.

- Uploader

The module monitors local server directory path for uploading files to NiP in different kind of tasks. The tasks

are:

- Processing of updated text resources.

- Processing batch of users that should be created.

- Processing batch of personalized token orders for users.

- Gemalto *.*

The modules are specified for order, status and revocation of tokens against token manufacturer Gemalto.

Example of Settings:

The default module is “MonitorModule”. There are non-default modules in the Timer Service and these are custom

actions.

<Modules>

<Module Name="MonitorModule">

<ModuleAssemblyFile>

SecMaker.NiP.TS.Module.Monitor.dll

</ModuleAssemblyFile>

<ModuleClassName>

SecMaker.NiP.TS.Module.MonitorModule

</ModuleClassName>




<TimerSeconds>600</TimerSeconds>

</Module>

</Modules>

The <TimerSeconds> tag will specify the time in seconds for how often the module runs (i.e. 600 = each 10 minute).

6.7 Database

NiP-API stores all data in two databases. The purpose of the two databases are:

- System

Contains all the data of the application configuration, users, tokens and certificates.

- Log

Separated database that contains all the log information (also known as audit logs).

6.8 Database collations

NiP-API uses the following default database collations:

- Microsoft SQL Server: SQL_Latin1_General_CP1_CI_AS

- Oracle MySQL: UTF8_GENERAL_CI with default character set as UFT-8.

6.9 Database constraints

NiP-API uses the following constraint name syntax for the database tables:

- PrimaryKeys: PK_%TABLENAME%_ID

- ForeignKeys: FK_%TABLENAME%_%PRIMARYKEYREFERENCE%

- DefaultConstraintName: DF_%TABLENAME%_%COLUMNNAME%

Note that Microsoft SQL Server has a maximum value of 128 characters and Oracle has a maximum value of 64

characters of the constraint name schema.

6.10 Database tables

The system database contains several tables for different type of storage. The table names are stored as abbreviation

names and describes their own purpose. The following schema describes the names and purposes of the tables as the

following syntax:

Abbreviated table name

Unabbreviated table name

Purpose

The tables of the system database are:

- act_usrs

Active Users

Contains information and handle types about current logged on users.

- adm_cfgs

Administration Configurations

Contains static task configuration of the administration types.

- cache_objs

Cache Objects

Contains different type of cache objects.



- cm_soc_sec_nrs

Customized Social Security Numbers

Contains customized social security numbers to specific feature (see the User Guide for more information).

- creds

Credentials

Contains credential information for third party services.

- crt_auths

Certificate Authorities

Contains information about the certificate authority services.

- crt_tmls

Certificate Templates

Contains information about the certificate templates.

- crts

Certificates

Contains information and binary data of the stored certificates.

- dir_svcs

Directory Services

Contains information about the directory services.

- gen_sets

Generic Settings

Contains generic settings and configuration of the NiP-API instance.

- hist_tkns

Historical Tokens

Contains a list of a user’s historical tokens.

- key_objs

Key Objects

Contains binary key objects for different types of relations.

- lic_svc_nie (under development)

Undefined

Undefined

- lic_svc_nie_mstr (under development)

Undefined

Undefined

- lic_svc_nip (under development)

Undefined

Undefined

- natl_regs

National Registrations

Contains information about the national citizen register services.



- org_ofc_addrs

Organization Office Addresses

Contains information about the addresses for an office of an organization.

- org_ofcs

Organization Offices

Contains information about the offices of an organization.

- orgs

Organizations

Contains information about the organizations.

- otps

One Time Passwords

Contains temporary one-time password object types.

- privileges

Privileges

Contains a list of static and customized privileges.

- role_privilege_relns

Role Privilege Relations

Contains relation keys between roles and privilege tables.

- role_usr_grps_relns

Role User Group Relations

Contains relation keys between roles and user groups tables.

- roles

Roles

Contain a list of roles.

- rprts

Reports

Contains information templates of reports.

- sa_key_objs (under development)

Undefined

Undefined

- sa_key_usr_relns (under development)

Undefined

Undefined

- sa_key_usrs (under development)

Undefined

Undefined

- sms_tmls

SMS Templates

Contains information about the SMS templates.



- smtp_tmls

SMTP Templates

Contains information about the SMTP templates.

- srvs

Servers

Contains server objects.

- task_type_privilege_relns

Task Type Privilege Relations

Contains relation keys between task type and privilege tables.

- task_types

Task Types

Contains a list of static and customized task types.

- tasks

Tasks

Contains task objects.

- tkn_crt_tml_relns

Token Template Certificate Template Relations

Contains relation keys between token template and certificate template tables.

- tkn_mfrs

Token Manufacturers

Contains information about external token manufactures.

- tkn_prfls

Token Profiles

Contains information about token profile configurations.

- tkn_rgtr

Token Register

Contains customized token register.

- tkn_tmls

Token Templates

Contains information about token templates.

- tkn_usr_relns

Token User Relations

Contains relation keys between token and user tables.

- tkns

Tokens

Contains token objects.

- usr_grp_relns

User Group Relations

Contains relation keys between user and group tables.



- usr_grps

User Groups

Contains user group objects.

- usr_imgs

User Images

Contains user image binaries.

- usrs

Users

Contains user objects.

- version

Version

Contains current database context version.

The tables of the log database are:

- log_ents

Log Entries

Contains information, binary data and signatures of the log entries.

6.11 Database documentation

See the documents “Net iD Portal - Database Documentation” and “Net iD Portal - Database_log Documentation” for

complete information about the databases.

6.12 Files: NiP-GUI

The file structure of NiP-GUI:

- %path%\%version%\asset\css

Contains the cascading style sheets (css) of the GUI.

- %path%\%version%\asset\fonts

Contains the fonts of the GUI.

- %path%\%version%\asset\image

Contains the images of the GUI.

- %path%\%version%\language

Contains the local language files in json format.

- %path%\%version%\app.js

GUI and front-end application structure.

- %path%\%version%\config.js

Configuration of the GUI.

- %path%\index.html

Default start page.

6.13 Files: NiP-API

The file structure of NiP-API:




- %path%\bin\*.*

Contains all the assemblies and libraries.

- %path%\texts\*.*

Contains local trace files generated by NiP-API.

- %path%\Global.asax

Specifies the handler for the instance of NiP-API.

- %path%\ServiceRestJson.svc

NiP-API REST interface formatted as Json.

- %path%\ServiceRestXml.svc

NiP-API REST interface formatted as Xml.

- %path%\ServiceSoap.svc

NiP-API SOAP interface.

- %path%\Trace.svclog

Instance diagnostic trace.

- %path%\Web.Config

Instance configuration of the NiP-API and web service.

6.14 Files: NiP-GS

The file structure of NiP-GS:

- %path%\*.dll

All the assemblies and libraries (same files as for NiP-API and NiP-TS).

- %path%\texts\*.*

Contains local trace files generated by NiP-GS.

%path%\SecMaker.NiP.GS.exe

The executable file that is installed in the Windows Service Manager.

- %path%\SecMaker.NiP.GS.exe.config

Instance configuration of the NiP-GS.

6.15 Files: NiP-TS

The file structure of NiP-TS:

- %path%\*.dll

All the assemblies and libraries (same files as for NiP-API and NiP-GS).

- %path%\texts\*.*

Contains local trace files generated by NiP-TS.

%path%\SecMaker.NiP.TS.exe

The executable file that is installed in the Windows Service Manager.

- %path%\SecMaker.NiP.TS.exe.config

Instance configuration of the NiP-TS.



7 Ports and protocols

7.1 About

This chapter will explain which ports and protocols that will be used by default in NiP.

7.2 Web service: Microsoft Internet Information Services

Application protocol: HTTPS

Protocol: TCP

Port: 443

7.3 Database service: MS SQL Server

System service name: MSSQLSERVER

Application protocol: SQL over TCP

Protocol: TCP

Port: 1433 (MS SQL Server default port)

7.4 Certificate service: Microsoft Certificate Authority

System service name: CertSvc

Application protocol: RPC

Protocol: TCP

Port: 135 (or randomly allocated high TCP ports)

7.5 Certificate service: EJBCA

Application protocol: HTTPS

Protocol: TCP

Port: 8443



8 Installation and configuration

8.1 About

This section will explain how to install and configure the services that are required by NiP.

Install and configure the services in the following sequence:

- Install and configure the web service.

- Install and configure the database service.

- Install and configure the certificate service.

8.2 Install and configure the web service

8.2.1 Server role

- Start the “Server Manager” in Windows Sever operating system.

- Start the “Add Roles and Features” wizard.

- Add the “Web Server (IIS)” role.

- Add the “Application Server” role including the sub roles: “.NET Framework 4.5”, “COM+ Network Access” and

“Web Server (IIS) Support”.

- Close the “Server Manager” and restart the server.

8.2.2 NiP-API

- Extract the NiP-API files from the “WebServiceApplication” package (delivered from SecMaker AB) to an

optional directory path on the local server

(e.g. ‘C:\Program Files\Net iD Portal\WebServiceApplication’).

- Start the “Internet Information Services (IIS) Manager”.

- Add a new “Application Pool” with an optional name. Set the “.NET CLR version” to ‘4.0.30319’ and the

“Managed pipeline mode” to ‘Integrated’.

- Open “Advanced Settings” of the created application pool. Set the “Application Pool Identity” to either

‘ApplicationPoolIdentity’ as “Build-in account” or use a ‘custom account’ that already has been configured as a

service account in the environment. The service account is the physical account that need to access the other

necessary services of the environment (i.e. database and certificate service).

- Create a new “Virtual Directory” or “Web Site” and set the physical path to the extracted NiP-API path. Choose

the “Application Pool” and set an optional “Alias”.

- Test the NiP-API by browsing and download the WSDL file (i.e. http://server/api/servicesoap.svc?singlewsdl).

- If using NiP-API with SSL, open the web.Config file and modify the bindings

from:

<security mode="None"></security>

to:

<security mode="Transport">

<transport clientCredentialType="None"></transport>

</security>

8.2.3 NiP-GUI

- Extract the NiP-GUI files from package to an optional directory path on the local server

(e.g. ‘C:\Program Files\Net iD Portal\GUI’).

- Open the “config.js” file and set “backendUrl” to created service

(i.e. ‘http://server/api/servicesoap.svc’).

- Start the “Internet Information Services (IIS) Manager”.



- Create a new “Virtual Directory” or “Web Site” and set the physical path to the extracted NiP-GUI path. Choose

the “Application Pool” and set an optional “Alias”.

- Test the NiP-GUI by browsing to the URL (i.e. ‘http://server/gui/index.html’).

8.3 Install and configure the database service

8.3.1 Microsoft SQL Server

- Start the setup wizard.

- Add the feature “Database Engine Services”.

- Add the feature “Management Tools – Basic”.

- Set the optional “Instance” name.

- Set the “Collation” mode to ‘SQL_Latin1_General_CP1_CI_AS’ (Windows-1252 or CP-1252 are the character

encodings).

- Set the “Authentication Mode” to use ‘Windows Authentication’ account only. The database needs the service

account that also will be used by the Application Pool described above.

8.3.2 Oracle MySQL

- Start the setup wizard.

- Add the feature: “MySQL Server”.

- Add the feature: “MySQL Workbench”.

- Set the “Collation” mode to ‘UTF8_GENERAL_CI’ with default character set as ‘UTF-8’.

8.4 Install and configure the certificate service

8.4.1 Microsoft Certificate Authority (MSCA)

- Start the “Server Manager” in Windows Sever operating system.

- Start the “Add Roles and Features” wizard.

- Add the “Active Directory Certificate Services” role including the sub role ‘Certification Authority’.

The MSCA can be configured in different ways depending on purpose. The two main instance types for MSCA are:

- Stand Alone CA

The Stand Alone CA has no external of extra calls when generating the end entity certificate. The Stand Alone

CA only sets the CA signature of the certificate request and issues the certificate. All information about the

information to be included in the end entity certificate needs to be included in the certificate request.

- Enterprise CA

The Enterprise CA is the most common usage type for MSCA.

The Enterprise CA has several certificate templates for generating end entity certificates more dynamically,

especially when issuing certificates to different kind of users and computers.

NiP-API supports both Stand Alone CA and Enterprise CA but also supports extensible enroll modes for both

instance types:

- Stamp

NiP-API creates the certificate request in PKCS#10 format containing all information about the certificate and

sends the request to the CA. The CA only makes the CA signature in the issuance process (stamp). This

scenario is very useful when issuing computer certificates.

- Modifier

NiP-API creates the certificate request in PKCS#10 format that only contains information about the end-entity.

The request is sent to the CA and NiP-API modifies the rest of the certificate extensions content for the

certificate that will be issued by the CA. This scenario is very useful when issuing certificates across domains

and services.



- Microsoft Enrollment Agent (Microsoft Enterprise CA only)

NiP-API creates the certificate request containing information about the end entity and an enrollment agent in

CMC format and sends it to the CA. The CA looks up the end entity object in the Microsoft Active Directory and

issues the certificate to that object.

8.4.2 MSCA policy modifications

In some cases and scenarios, there must be some modifications done for the MSCA that overrides the default

settings. These modifications can be done with the “certutil.exe” (“Certificate Utility”) in Microsoft Windows platform.

The MSCA service must be restarted after policies or settings have been changed. The most common policies and

settings changes are:

- Type: RequestDisposition

Flags: REQDISP_ISSUE = 1, REQDISP_PENDINGFIRST = 256

Command: certutil -setreq policy\RequestDisposition %FLAGS%

Explanation: This command changes the policy of the request handling for the MSCA.

- Type: EnableRequestExtensionList

Flags: +%OID% (add extension) or -%OID% (remove extension)

Command: certutil -setreg policy\EnableRequestExtensionList +%OID%

Explanation: This command allows customized extensions in the issued certificate (i.e. ‘certutil -setreg

policy\EnableRequestExtensionList +1.3.6.1.5.5.7.1.3’ sets the “Qualified Certificate” extension

to be allowed in the request).

- Type: RequestExtensionList

Flags: +EDITF_REQUESTEXTENSIONLIST (add flag) or -EDITF_REQUESTEXTENSIONLIST (remove flag).

Command: certutil -setreq policy\EditFlags +EDITF_REQUESTEXTENSIONLIST

Explanation: This command allows customized extensions to be added into the issued certificate.

- Type: AttributeEndDate

Flags: +EDITF_ATTRIBUTEENDDATE (add flag) or -EDITF_ATTRIBUTEENDDATE (remove flag).

Command: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE

Explanation: This command allows to customize the validity period of the certificate template within its time

span, otherwise the validity of the issued certificate always will be validity specified in the certificate template

(Enterprise CA only).

- Type: BasicConstraintsCritical

Flags: +EDITF_BASICCONSTRAINTSCRITICAL (add flag) or -EDITF_BASICCONSTRAINTSCRITICAL

(remove flag).

Command: certutil -setreg policy\EditFlags +EDITF_BASICCONSTRAINTSCRITICAL

Explanation: This command sets the basic constraints as critical in the issued certificate.

- Type: AttributeSubjectAltName2

Flags: +EDITF_ATTRIBUTESUBJECTALTNAME2 (add flag) or -EDITF_ATTRIBUTESUBJECTALTNAME2

(remove flag).

Command: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Explanation: This command allows NiP-API to set the SubjectAlternativeName extension of the issued

certificate.

- Type: AllowRequestAttributeSubject

Flags: +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT (add flag) or

-CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT (remove flag).

Command: certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Explanation: This command allows customized subject names (or OIDs) in the subject of the issued certificate.



- Type: SubjectTemplate

Flags: +%OID% (add subject name attribute) or -%OID% (remove subject name attribute).

Command: certutil -setreg ca\SubjectTemplate +%OID%

Explanation: This command allows customized subject name attributes in the subject of the issued certificate

(e.g. ‘certutil -setreg ca\SubjectTemplate +2.5.4.5’ sets the “SerialNumber” attribute to be

allowed in the subject).

- Type: RebuildModifiedSubjectOnly

Flags: +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY (add flag) or

-CRLF_REBUILD_MODIFIED_SUBJECT_ONLY (remove flag).

Command: certutil -setreg ca\CRLFlags +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY

Explanation: This command allows any custom OID in the subject of the issued certificate. There is no need to

modify the “SubjectTemplate” described above. Note that this only works when enrollment mode is set to

“Stamp” which means that all customized OIDs must be set in the certificate request. This will not work in

“Modifier” enrollment mode.

- Type: EnforceX500NameLengths

Flags: 1 (add flag) or 0 (remove flag).

Command: certutil -setreg ca\EnforceX500NameLengths 0

Explanation: This command allows values in the subject name attribute to be larger than 64 characters (default).

- Type: ValidityPeriod

Flags: %PERIODSTRING% (Years, Months, Hours, Minutes, Seconds).

Command: certutil -setreg ca\ValidityPeriod %PERIODSTRING%

Explanation: This command sets the maximum validity period of the issued certificate (i.e. ‘certutil -

setreg ca\ValidityPeriod Years’ sets the maximum validity period to years). Note that this is only

useful when using “Stand Alone CA” with enrollment mode as “Modifier”. This command has no effect on

“Enterprise CA” because the current certificate template overrides the validity maximum period.

- Type: ValidityPeriodUnits

Flags: %PERIODINTEGER%

Command: certutil -setreg ca\ValidityPeriodUnits %PERIODINTEGER%

Explanation: This command set the maximum validity period units of the issued certificate (i.e. ‘certutil -

setreg ca\ValidityPeriodUnits 2’ sets the maximum validity period units to “2” (i.e. 2 Years if used

with the example of “ValidityPeriod” above)). Note that this is only useful when using “Stand Alone CA” with

enrollment mode as “Modifier”. This command has no effect on “Enterprise CA” because the current certificate

template overrides the maximum validity period. Note that the maximum period units cannot override the validity

of the CA itself.

8.4.3 Setup MSCA as a Stand Alone CA and enrollment mode as Stamp:

- Set the CA instance as ‘stand-alone root CA’ or ‘subordinate CA’.

- Set the “CSP” as ‘RSA Microsoft Key Storage Provider’ (or ‘ECDSA Microsoft Key Storage Provider’ if using

ECC).

- Run the “Certificate Utility” command: certutil -setreq policy\RequestDisposition 1.

The CA will now automatically issue the certificate.

8.4.4 Setup MSCA as a Stand Alone CA and enrollment mode as Modifier:

- Set the CA instance as ‘stand-alone root CA’ or ‘subordinate CA’.

- Set the CSP as “RSA Microsoft Key Storage Provider” (or “ECDSA Microsoft Key Storage Provider” if using

ECC).


The CA will now set the request as pending before issuing the certificate.



8.4.5 Setup MSCA as an Enterprise CA and enrollment mode as Modifier:

- Set the CA instance as ‘Enterprise root CA’ or ‘subordinate CA’.

- Set the CSP as ‘RSA Microsoft Key Storage Provider’ (or ‘ECDSA Microsoft Key Storage Provider’ if using

ECC).


The CA will now set the request as pending before issuing the certificate.

- Open the “Certificate Authority” snap-in module.

- Right-click the “Certificate Templates” and choose “Manage”.

- Right-click the “User” template and choose the “Compability Settings” for the current environment.

- Set an optional “Template Display Name” and “Template Name” in the “General” tab. Make sure that “Publish in

Active Directory” property is disabled.

- Set the “Purpose” in the “Request Handling” tab. Disable the “Allow private key to be exported” property.

- Set the “CSP” and “KeyLength” in the “Cryptography” tab.

- Set “CA certificate manager approval” in the “Issuance Requirements” tab.

- Set “Supply in the request” in the “Subject Name” tab.

- Click “OK”.

- Right-click the “Certificate Templates” and choose “New” > “Certificate Template is issue”.

- Choose the template that just has been created.

- Close the snap-in module and restart the MSCA service.

8.4.6 Setup MSCA as an Enterprise CA and enrollment mode as EnrollmentAgent:

- Set the CA instance as ‘Enterprise root CA’ or ‘subordinate CA’.

- Set the CSP as ‘RSA Microsoft Key Storage Provider’ (or ‘ECDSA Microsoft Key Storage Provider’ if using

ECC).

- Open the “Certificate Authority” snap-in module.

- Right-click the “Certificate Templates” and choose “Manage”.

- Open “Enrollment Agent (Computer)” certificate template and open the “Security” tab.

- Add the server of the NiP-API (i.e. ‘webserver$’) and set “Read” and “Enroll” as permissions to this account.

- Click “OK”.

- Right-click the “Certificate Templates” and choose “New” > “Certificate Template is issue”.

- Choose the template “Enrollment Agent (Computer)”.

- Open the “Certificate” snap-in module on the server of the NiP-API.

- Open the “Personal” folder and right-click the “Certificates” > “All tasks” > “Request New Certificate”.

- Issue certificate from template “Enrollment Agent (Computer).

- Set the “Security Permissions” of the certificate (i.e. Computers and/or UserGroups).

8.4.7 Enterprise Java Beans Certificate Authority (EJBCA):

Please read the documentation on ejbca.org or contact Primekey for a professional installation of EJBCA.

- Install EJBCA.

- Setup the Certificate Authority.

- Create an administrator user that will be used as a web service user (i.e. ws-user) with correct privileges.

- Create a PKCS#12 file for the web service user and install the content of the PKCS#12 file on the current web

server.

- Set permission rights for the private key so it’s accessible by NiP-API service account.

- Set the web service user status to ‘Generated’ to ensure that no additional certificates can be enrolled by

mistake for this account.

- Test the EJBCA web service by browsing and download the WSDL file

(i.e. https://ejbca:8443/ejbca/ejbcaws/ejbcaws?wsdl).

For more information, how to setup an EJBCA, please read the documentation on the following link:

http://www.ejbca.org/.



9 Uninstall the application

9.1 About

This chapter will explain the NiP uninstall procedure.

9.2 Settings and dependencies

When uninstalling NiP, the current database together with some files and settings are still stored in the system, even if

the application has been uninstalled.

The settings that still are stored in the system are:

- [INTERNET INFORMATION SERVICE]\[Application Pools]\NiPAppPool

- [INTERNET INFORMATION SERVICE]\[WebSite or VirtualDirectory]

- [INTERNET INFORMATION SERVICE]\[WebSite or VirtualDirectory]EWS

The objects in Internet Information Service are stored in the system because of special settings in the IIS and will not

be automatically removed to facilitate upgrading of NiP.

9.3 Upgrading

When upgrading NiP, the current version of the application must first be uninstalled.

Use the current installation package from SecMaker AB:

1) Unzip the installation package file.

2) Stop the services “Net iD Portal Generic Service” and “Net iD Portal TimerService”.

3) IMPORTANT: Do not replace the following files when upgrading:

<Installation Directory>\WebServiceApplication\Web.config

<Installation Directory>\WebServiceExternal\Web.config

<Installation Directory>\GenericService\SecMaker.NiP.GS.exe.config

<Installation Directory>\TimerService\SecMaker.NiP.TS.exe.config

4) Replace the files in the installation folder with the new files obtained from SecMaker.

5) Run SecMaker.NiP.Commander.exe and choose command [1] and [6].

Follow the instructions to upgrade the database.

9.4 Complete uninstallation

Do the following steps to make a complete uninstall of NiP. Note that all settings and information about the users in NiP

will be erased!

1) Delete all files in the Net iD Portal directory.

2) Stop the windows services “Net iD Portal Generic Service” and “Net iD Portal Timer Service”.

3) Run powershell with administrative privilegies and type in the following command to uninstall the windows

services:

#####

$service1 = Get-WmiObject –Class Win32_Service –Filter “Name=’Net iD Portal Generic

Service’”

$service1.delete()

$service2 = Get-WmiObject –Class Win32_Service –Filter “Name=’Net iD Portal Timer Service’”

$service2.delete()

4) Delete the installation directory of NiP

(i.e. <Net iD Portal Installation Directory>\Net iD Portal\).

5) Open “Microsoft Internet Information Service”.



6) Delete the installed WebSites (or Virtual Directories) (i.e. ‘nip’ and ‘nipEWS’).

7) Go to the “Application Pools” in “Internet Information Service” and delete the ‘NiPAppPool’ object.

8) Close “Microsoft Internet Information Service”.

9) Open “Microsoft SQL Management Studio”.

10) Delete the current system database and log database (i.e. ‘NiPDB’, ‘NiPDB_log’, and ‘NiPDB_logClient’).

11) Expand “Security” tree and open “Logins” directory.

12) Delete the “NiPDBUser” service account.

13) Close “Microsoft SQL Management Studio”.

14) The NiP structure is now uninstalled from the system.



10 Troubleshooting

10.1 About

This chapter explains how to enable/disable different types of trace for Net iD Portal.

10.2 Trace: Net iD Enterprise

To enable trace for Net iD Enterprise PKI client, right-click the Net iD icon in Windows activity field > Trace > Enable. To

open the trace file, right-click the Net iD icon in Windows activity field > Trace > Open.

See the document “Net iD Enterprise Technical Description” for more information.

10.3 Trace: Net iD Portal with log4net extension

To enable trace for Net iD Portal, open the “web.Config” file and search for the <log4net></log4net> xml node. Change

the value of the xml attribute “threshold” to “All” (i.e. <log4net threshold="All">). Note that log4net traces all calls within

the process and can decrease the usability performance. To disable the log4net trace extension, change the “threshold”

value to “Off” (i.e. <log4net threshold="Off">).

10.4 Trace: Net iD Portal with Generic Service (Trace Server)

To enable trace for Net iD Portal without decreasing the performance, use the “Trace Server” applied in “Generic

Service”. Login to NiP and go to the “Administration” section. Use the “Settings” type and update the “Net iD Portal”

settings task. Change the value of the attribute “TraceSrvEnabled” to “1”, then click “Execute” to apply the changes. To

disable the Trace Server, change the value of the attribute “TraceSrvEnabled” to “0”.

10.5 Trace: Microsoft Internet Information Services Diagnostics

If NiP-API cannot be called, use the system diagnostics for Microsoft Internet Information Services. Open the

“web.Config” file and search for the <system.dianostics></system.diagnostics> xml node. Change the value of the xml

attribute “switchValue” of the “source name” element to “All” (i.e. <source name="System.ServiceModel"

switchValue="All">). To disable the diagnostics trace, change the value to “Off” (i.e. <source

name="System.ServiceModel" switchValue="Off">).

10.6 Error codes and messages

This section lists the error codes from NiP. There are error codes related to the login process, the NiP-GUI (client side)

and NiP-API (server side).

All texts for error messages can be customized if it is wanted to add or change the message given to the users for a

specific error code.

10.6.1 Login and session

Error messages from login and session handling when not logged in.

Error string Error text shown in GUI (English/Swedish)

errorNoRolesAvailable The login was successful but there are no services available that you have the authorization to use.

Inloggningen lyckades men det finns inga tjänster tillgängliga som du är behörig att använda.

errorNoSuitableTokenAvailable There is no suitable smart card present.

Det finns inget passande kort tillgängligt.




errorPoliciesNotFullFilled The policy for the content of the input field has not been fulfilled. Please make corrections and try again.

Regelverket för vad fältet får innehålla är inte uppfyllt. Korrigera innehållet och försök igen.

errorSessionExpired Your session has expired since you have been inactive for too long. Please login again.

Du har varit inaktiv för länge så din session är inte längre giltig. Logga in på nytt.

10.6.2 NiP-GUI (client side)

Error messages from NiP-GUI on client side.

Error code


CLT001 CKR_CLIENT_MISSING The client software used for local calls is missing. Please check your installation.

Klientprogramvaran som används för lokala anrop saknas. Kontrollera din installation.

CLT002 CKR_CLIENT_ACCESS_DENIED The client software used for local calls has stopped the communication with the server. Please check the security settings for 'allowed servers'.

Klientprogramvaran som används för lokala anrop har stoppat kommunikationen med servern. Kontrollera inställningen för tillåtna värddatorer (allowed servers).

10.6.3 NiP-API (server side)

Error messages from NiP-API at server side.

General error messages

Error code


NPR001 NPR_ACCESS_DENIED Access denied. Authorization to access the system is missing.

Autentisering misslyckades. Behörighet till systemet saknas.

NPR002 NPR_ARGUMENT_INVALID Argument is invalid.

Argumentet är ogiltigt.

NPR003 NPR_ARGUMENT_MISSING Argument is missing.

Argument saknas.

NPR004 NPR_DATA_INVALID Data is invalid.

Data är ogiltigt.

NPR005 NPR_DATA_NOT_FOUND Data cannot be found.

Kunde ej hitta data.

NPR006 NPR_FAILED Failed with the action.

Åtgärden misslyckades.

NPR007 NPR_FORM_NOT_FOUND The form was not found.

Kunde ej hitta formuläret.

NPR008 NPR_IMG_INVALID The image is invalid. Please check that the size is within the min/max values for an image or that other policies are followed.

Fotot är ogiltigt. Kontrollera att det håller sig inom giltiga min/max-storlekar.

NPR009 NPR_LOGIN_FAILED Failed to login.

Inloggning misslyckades.



NPR010 NPR_PROTECTED_DATA Protected data.

Förändringsskyddad data.

NPR011 NPR_SECURITY_CODE_ POLICY_MISMATCH

The characters in the password do not fulfill the password policy. Please choose another password and try again.

Regelverket för vilka tecken som säkerhetskoden får innehålla är inte uppfyllt. Korrigera innehållet och försök igen.

NPR012 NPR_SESSION_EXPIRED You have been inactive for too long and your session has expired. Please login again.

Du har varit inaktiv för länge så din session är inte längre giltig. Logga in på nytt.

Error messages related to Token and Certificate management

Error code


NPR101 NPR_CRT_INVALID The certificate is invalid.

Certifikatet är ogiltigt.

NPR102 NPR_CRT_REQUEST_INVALID The certificate request is invalid.

Certifikatbegäran är ogiltig.

NPR103 NPR_ENROLLMENT_FAILED Enrollment of the token failed.

Utfärdande av enhet misslyckades.

NPR104 NPR_TKN_ALREADY_EXISTS The token already exists.

Enheten finns redan i systemet.

NPR105 NPR_TKN_NOT_BOUNDED_TO_USER The token is not bound to a user.

Enheten är inte knuten till någon användare.

NPR106 NPR_TKN_NOT_FOUND The token was not found.

Kunde inte hitta enheten.

NPR107 NPR_TKN_TEMPLATE_NOT_FOUND The token template was not found.

Kunde inte hitta enhetsmallen.

NPR108 NPR_UNLOCK_TKN_FAILED Failed to unlock the token.

Misslyckades med att låsa upp enheten.

NPR109 NPR_USER_TKN_BIND_FAILED Failed to bind token to the user.

Misslyckades att knyta enheten till användaren.

NPR110 NPR_TKN_INVALID The validity period of the token has expired and it cannot be used any more.

Giltighetstiden för enheten har gått ut och den kan inte längre användas för utfärdande.

Error messages related to User management

Error code


NPR201 NPR_USER_ALREADY_EXISTS The user already exists in the system.

Användaren finns redan i systemet.

NPR202 NPR_USER_HAS_BOUNDED_ TKNS

There are tokens bound to the user.

Användaren har enheter knutna till sig.

NPR203 NPR_USER_HAS_BOUNDED_ TKNS_TO_BE_REVOKED

There are tokens bound to the user that needs to be revoked.

Användaren har enheter knutna till sig som behöver spärras.

NPR204 NPR_USER_INVALID The user is invalid.

Användaren är ogiltig.

NPR205 NPR_USER_NOT_FOUND The user was not found.

Kunde inte hitta användaren.

NPR206 NPR_USER_UPDATE_FAILED Failed to update the user information.

Misslyckades med att uppdatera information om användaren.



Error messages related to Task management

Error code


NPR301 NPR_TASK_ACTION_NOT_FOUND The task action was not found.

Kunde inte hitta delmomentet för ärendet.

NPR302 NPR_TASK_ACTION_SIGN_FAILED Failed to sign the task action.

Signering av ärendet misslyckades.

NPR303 NPR_TASK_ALREADY_EXECUTED The task has already been executed.

Ärendet har redan slutförts.

NPR304 NPR_TASK_CREATED The task has been created.

Ärende skapat.

NPR305 NPR_TASK_FAILED Failed to execute the task.

Misslyckades utföra ärendet.

NPR306 NPR_TASK_IN_PROGRESS The task is in progress.

Ärendet bearbetas.

NPR307 NPR_TASK_NOT_FOUND The task was not found.

Kunde inte hitta ärendet.

NPR308 NPR_TASK_DELEGATED The task has been successfully delegated to another officer. Your part of the task has been completed.

Ärendet har delegerats vidare till en annan handläggare. Dina steg i processen är avklarade.

NPR309 NPR_TASK_ALREADY_EXISTS A task already exists for the object chosen.

Det finns redan ett pågående ärende för samma objekt.

Error messages related to external services

At situations when there are problems with an external service that is connected to NiP, the error messages from the

service will be included in the error message from NiP. The information reported from the service will be in the same

words and language as reported to NiP. Possible error messaged from connected services are not listed here but have

to be found in the documentation of each service.

Error code


NPR901 NPR_CA_ERROR A problem with the certificate authority service occured. Please contact your system administrator.

Fel i certifikatutfärdandetjänsten. Kontakta systemadministratören för åtgärd.

NPR902 NPR_DATABASE_ERROR Database error. Please contact your system administrator.

Fel i databastjänsten. Kontakta systemadministratören för åtgärd.

NPR903 NPR_MSG_SRV_INIT_FAILED Failed to initialize the messaging service. Please contact your system administrator.

Fel i meddelandetjänsten. Kontakta systemadministratören för åtgärd.

NPR904 NPR_MSG_SRV_NOT_FOUND The messaging service was not found. Please contact your system administrator.

Saknar åtkomst till meddelandetjänsten. Kontakta systemadministratören för åtgärd.

NPR905 NPR_NAVET_ERROR Error in the Navet service. Please contact your system administrator.

Fel i Navet-tjänsten. Kontakta systemadministratören för åtgärd.

NPR906 NPR_NAVET_UNREG_PERSON The person is missing in Navet. Please check that the correct Swedish 'personnummer/samordningsnummer' has been entered.

Personen saknas i Navet. Kontrollera att rätt personnummer/samordningsnummer angetts.



11 Status information

11.1 About

This chapter contains tables with status codes and texts for Token status, Task status and Order Status.

All texts for status information can be customized if it is wanted to add or change the text for a specific status.

11.2 Token status

The table below is the translation table for Token status that can be shown for active and/or historical token.

Token status code

Text name Status shown in GUI (English) Status shown in GUI (Swedish)

0 Unspecified Not specified Oregistrerad

1 Unused Not used Ej använd

2 Active Active Aktiv

3 WaitForExternalObject Waiting for external object Väntar på externt objekt

4 WaitForDistribution Waiting for distribution Väntar på att skickas

5 Blocked Blocked Spärrad

6 Retired Retired Tagen ur bruk

7 Expired Expired Utgången

11.3 Task status

The table below is the translation table for Task status that can be shown for tasks in the task lists of the GUI.

Task Status text string Status shown in GUI (English) Status shown in GUI (Swedish)

orderState_Blocked Blocked Spärrad

orderState_CertificateRetrieved Certificate issued Certifikat hämtat

orderState_Delivered Delivered Levererad

orderState_Delivery Delivery Leverans

orderState_Disaster Serious fault Allvarligt fel

orderState_Error Error Fel

orderState_InProduction In production Produktion påbörjad

orderState_OrderReceived Order received Order mottagen

orderState_ReadyToBeResent Ready to be resent Redo att skickas igen

orderState_ReadyToBeSent Ready to be sent Redo att skickas

orderState_Sent Sent Skickad

orderState_TokenPrinted Token printed Enhet visuellt personaliserad

orderState_TokenReady Token ready Enhet redo

orderState_TokenSentWaitForPin Token sent, waiting for PUK Enhet skickad, väntar på PUK

orderState_Unknown Unknown Okänt

orderState_Unsigned Unsigned Ej underskriven

state_Cancelled Cancelled Avbrutet

state_Done Done Klart

state_InProgress In progress, locked Pågående, låst

state_NotReady In progress Pågående

state_TimedOut Tomed out Utgånget

state_Wait Waiting Väntar



11.4 GemaltoProductionStatus, Kunddatafil

The following table shows the production order status messages that are delivered from Gemalto and the translation to

NiP status codes.

Gemalto Order Status in "Kunddatafil" NiP status code translation

DATA INPUT 510 (OrderReceived)

ASCII-DATA LOADED 510 (OrderReceived)

ASCII-DATA ACCEPTED, IMAGES TO BE LOADED 510 (OrderReceived)

ORDER RECIEVED 510 (OrderReceived)

IMAGE EXISTS, DATA DOES NOT 510 (OrderReceived)

DATA EXISTS, IMAGE DOES NOT 510 (OrderReceived)

SPAR QUERY DONE, IMAGESCANNING NEEDED 510 (OrderReceived)

SPAR QUERY SENDED 510 (OrderReceived)

SPAR QUERY RECIEVED 510 (OrderReceived)

WAITING FOR NEW SPAR 510 (OrderReceived)

INTYG CONTROL 510 (OrderReceived)

INTYG WAIT 510 (OrderReceived)

READY FOR PRODUCTION 520 (InProduction)

WORK ORDER NUMBER CREATION 520 (InProduction)

IMAGE BACKGROUND REMOVAL 520 (InProduction)

READY TO PRODUCTION 520 (InProduction)

PRODUCTION 520 (InProduction)

PICKED TO PRODUCTION 520 (InProduction)

SET GENERATED 520 (InProduction)

BATCH EXTRACTED 520 (InProduction)

WORK FILES CREATED 520 (InProduction)

READY FOR LASER-PRINTING 520 (InProduction)

PRINTED 521 (TokenPrinted)

WAITING FOR QUALITY CONTROL 520 (InProduction)

IN QUALITY CONTROL 520 (InProduction)

Security calculation request needed 520 (InProduction)

Security calculation to be read 520 (InProduction)

Security calculation results read 520 (InProduction)

READY FOR CERTIFICATE REQUEST 520 (InProduction)

SECONT CERT TO BE READ 520 (InProduction)

THIRD CERT TO BE READ 520 (InProduction)

CERTIFICATE REQUEST SEND 520 (InProduction)

CERTIFICATE ANSWER RECIEVED 522 (CertificateRetrieved)

CHIP-DATA EXTRACTED 520 (InProduction)

CERTIFICATE UPDATED TO DATABASE 520 (InProduction)

PICKED TO FINALIZATION 520 (InProduction)

IN REMOTE CHIP PERSONALIZATION 520 (InProduction)

REMOTE CHIP PERSONALIZATION DONE 520 (InProduction)

NON SIDOP PERSONALIZATION 520 (InProduction)

PRODUCT READY 523 (TokenReady)

POST HANDLING 530 (Delivery)

TO BE PACKED 530 (Delivery)

PACKED 530 (Delivery)

PRODUCTION LIST TO BE PRINTED 530 (Delivery)



PRODUCTION LIST PRINTED, NOT CHECKED 540 (Delivered)

PIN-LETTER WAIT 531 (TokenSentWaitForPin)

PIN-LETTER PRINTED 540 (Delivered)

NOTE-LETTER WAIT 540 (Delivered)

NOTE-LETTER PRINTED 540 (Delivered)

READY 540 (Delivered)

DELIVERIED 540 (Delivered)

ERROR 600 (Error)

ORDER IS TO BE CHECKED 600 (Error)

ERROR, WAITING CUSTOMER ANSWER 600 (Error)

CUSTOMER RETURN WAITING FOR COVERING LETTER PRINTING 600 (Error)

RETURNED TO CUSTOMER, TO BE REPORTED 600 (Error)

ERROR RETURN TO CUSTOMER 600 (Error)

default 0 (Unknown)

11.5 NiP translations GemaltoProductionStatus

The NiP status codes for Gemalto production status messages have the following translations.

Status code Text name Status shown in GUI (English) Status shown in GUI (Swedish)

0 Unknown Unknown Okänt

510 OrderReceived Order received Order mottagen

520 InProduction In production Produktion påbörjad

521 TokenPrinted Token printed Enhet visuellt personaliserad

522 CertificateRetrieved Certificate Issued Certifikat hämtat

523 TokenReady Token ready Enhet redo

530 Delivery Delivery Leverans

531 TokenSentWaitForPin Token sent, waiting for PUK Enhet skickad, väntar på PUK

540 Delivered Delivered Levererad

550 Blocked Blocked Spärrad

600 Error Error Fel



12 Changes from earlier versions

Brief information regarding changes in the documentation from earlier versions of NiP.

For more detailed information, see each section.

12.1 Changes between v5.0 and v5.1

The changes between v5.0 and v5.1 are so many, due to the implementation of dynamic tasks, that the v5.1 of the

Technical Description shall be considered as a completely new document.

12.2 NiP v5.0

The first version of NiP v5 Technical Description and hence there are no changes since earlier versions.



13 NiP documentation

NiP Administrator’s Guide User Guide intended for NiP Administrators making configurations for

the NiP application. The document describes the configurations and

the implications of the different options.

NiP API Information Provides information regarding the API’s for NiP. The document is

intended for technicians, testers and developers of NiP.

NiP Database documentation Database dump for the primarily database of NiP. The information is

primarily intended for database administrators.

NiP Database_log documentation Database dump for the log database of NiP. The information is

primarily intended for database administrators.

NiP Handläggar- och NiP Officer and End User User’s Guides in Swedish. The first version

Slutanvändarhandledning of this document will be written for v5.2.

NiP Installation Guide Provides information regarding how to make a basic installation of the

application NiP and the necessary prerequisites. The Installation Guide

is primarily intended for technicians responsible for, or involved in,

installation of NiP.

NiP Officer and End User User’s Guide User Guide intended for NiP Officers managing smart cards, devices,

certificates and users. The end user part is included to give the officers

information regarding the self-service interfaces used by the end users.

The first version of this document will be written for v5.2.

NiP Release Notes Release Notes for NiP in txt format.User Guide intended for NiP

NiP XML configuration Provides examples of how to configure XML formatted configurations

in NiP. The document is intended for technicians responsible for, or

involved in, configuration of NiP.

net id portal technical desciption - secmaker

Documents