Configure Net iD Access Server
Configure settings.xml
Net iD Access Server is configurable through the file settings.xml located in the db folder selected during the installation. This section will explain the elements and the options available.
There are no xml attributes. A setting is represented by an xml element, and its value is the content of that element.
When the file /db/settings.xml is available, the Access Server will use it instead of the Base64-encoded version specified in /nias/web.config and /niac web.config. See Configure the web service (web.config). |
Excerpt from the configuration file settings.xml:
<?xml version="1.0" encoding="utf-8"?>
<information>
<trace>C:\inetpub\wwwroot\NiAS\trace\</trace>
<path>C:\inetpub\wwwroot\NiAS\db\</path>
<name>Net iD Access Server</name>
<id>Z9</id>
<image>logo.png</image>
<site>infopage-folder</site>
<Protect>yes</Protect>
<AllowLogout>no</AllowLogout>
<AllowOnBehalf>yes</AllowOnBehalf>
<RequestTimeout>90</RequestTimeout>
<algorithms>
<algorithm>
<name>RSA</name>
<parameter>2048</parameter>
</algorithm>
</algorithms>
<allowed>
<authority>
<name>SITHS Type 1 CA v1</name>
<keyid>959D7C354DEDFDD2BA3F5FBD8A85F23C5B263FF4</keyid>
<verify>
<local>yes</local>
<ocsp>no</ocsp>
<host>no</host>
<niv>no</niv>
</verify>
<keyusage>
<authenticate>A0</authenticate>
<signature>40</signature>
</keyusage>
</authority>
</allowed>
</information>
Element | Description | ||
---|---|---|---|
<trace> |
The folder where the trace file is saved. To not save traces, rename the element to <notrace>, but keep the path intact to avoid having to reenter the path if trace needs to be turned on again. Value: Path to folder |
||
<path> |
Absolute path to the database folder where this file and the database subfolder are located.
|
||
<name> |
Name of the NiAS server. |
||
<id> |
The id-value is allocated by SecMaker and is used by the Net iD Access app to speed up the process of finding the correct Net iD Access Server. You may NOT use a value of your own. Please contact SecMaker to get your range of id-values. |
||
<image> |
Relative file path to [installation path]/niac-folder pointing to a PNG-file with the server logo. |
||
<site> |
Path relative to [installation path]/niac-folder pointing to a webpage the client should display when viewing information about the server. |
||
<protect> |
Enable/disable encrypted communication between Net iD Access clients and Net iD Access Server. Value: yes, no, Default: yes |
||
<AllowLogout> |
This setting should be considered as experimental. If set to yes and you continue to send collect calls, the Net iD Access Server will report card removal events as “user_cancel”. However, this happens only when the Net iD Access app is in focus. Value: yes, no |
||
<AllowOnBehalf> |
Specify if the possibility to control the name and logo of the calling service when Net iD Access Server is used to support services not directly integrated with this protocol, i.e. federation scenarios. To use this setting you have to create your own Base64-encoded challenge. Value: yes, no |
||
<RequestTimeout> |
Defines the time a request can be active. In this version the timeout is only triggered by an update from the client side for the status to be changed. The client must ask for a request or try to register a request for the status to be changed. Value: 0 = Valid forever, x = Time in seconds, Default 0. |
||
<test> |
Include the menu item Test in the Net iD Access client, which points to a test site. Value: Link to test site. |
||
<algorithms> |
– |
||
<algorithm> |
– |
||
<name> |
Algorithm name |
||
<parameter> |
Key length |
||
<allowed> |
List of authorities the NiAS server will accept. |
||
<authority> |
An authority entry. |
||
<name> |
Name of the authority. |
||
<keyid> |
Key id of the authority certificate. |
||
<verify> |
Certification verification settings. |
||
<local> |
Verify client certificate with CAPI using local settings for certification verification. niv and local should not both be activated. Value: yes, no |
||
<ocsp> |
Indicates if the OCSP-response should be included in the COMPLETE-message. Value: yes, no |
||
<host> |
Verifies that the sign request was issued by the same server that is trying to complete the request. Value: yes, no |
||
<niv> |
Use Net iD Validator. The elements niv and local should not both be activated. Value: yes, no |
||
<SigningTime> |
Time allowed to perform signing. Values: 0 = No control of time format or time, 1 = Signing is allowed in x second(s) |
||
<keyusage> |
Encryption key settings |
||
<authenticate> |
Required certificate key usage flag for authentication. |
||
<signature> |
Required certificate key usage flag for signing. |
Adding allowed authorities
Add authorities that the server accepts by inserting an <authority> element nested under the <allowed> element in the file settings.xml. See Configure settings.xml for element descriptions.
<allowed>
<authority>
<name>SITHS Type 1 CA v1</name>
<keyid>959D7C354DEDFDD2BA3F5FBD8A85F23C5B263FF4</keyid>
<verify>
<local>yes</local>
<ocsp>no</ocsp>
<host>no</host>
<niv>no</niv>
</verify>
<keyusage>
<authenticate>A0</authenticate>
<signature>40</signature>
</keyusage>
</authority>
</allowed>
Key usage flags for authentication, signing, and authority key identifier, must all match the values in the presented certificate. Otherwise, the certificate will not be allowed.
Add the relevant root certificates to Microsoft trust store to set "local" and "ocsp" to yes. |
The correct "keyid" can be taken from the field Authority Key Identifier in the client certificate, or from the field Subject Key Identifier in the issuing CA certificate: |
Configure the calling services (ServerID.xml)
The files ServerID.xml are located in the folder db/server/id. Put the settings for each calling service in a separate ServerID.xml file.
It is recommended to automate the registry process by writing code using SOAP calls to generate files or database records. |
ServerID.xml file example:
<?xml version="1.0" encoding="utf-8"?>
<server>
<id>S00001</id>
<address>192.168.200.169</address>
<name>Calling service X</name>
<image>iVBORw0...</image>
<format>raw|2.16.840.1.101.3.4.2.1</format>
</server>
key | Value (examples) | Description |
---|---|---|
id |
S00001 |
Server ID |
address |
192.168.200.16 |
IP address |
name |
Calling service X |
Name of calling service. |
image |
S00001.png |
Logo image of the calling service. |
format |
raw|2.16.840.1.101.3.4.2.1 |
Format for encrypted and/or signed data. |
Configure the web service (web.config)
There are two web.config files, one in the nias folder and one in the niac folder. Not all elements described below are used in both the web.config files, but the elements that are shared must have the same value. It is therefore recommended to keep both the web.config files identical. This will also make maintenance easier.
<appSettings>
<add key="DatabaseConnectionType" value="0"/>
<add key="TraceDebugMode" value="true"/>
<add key="OnlyRequestTrace" value="true"/>
<add key="SOAPTrace" value="false"/>
<add key="PnrDenied" value="true"/>
<add key="AllowedPnrSize" value="10,50"/>
<add key="AdditionalValidChars" value="xxxxx"/>
<add key="AllowPublicData" value="1"/>
<add key="Customs" value="xxxxx"/>
<add key="MaxLogoSize" value="16"/>
<add key="RegisterDenied" value="1"/>
<add key="MinClientVersion" value="6.0"/>
<add key="MinClientGUIVersion" value="6.0"/>
<add key="DefaultServiceName" value="DEMO"/>
<add key="DefaultServiceImage" value="xxxxx"/>
<add key="SettingsXML" value="xxxxx"/>
<add key="RequestBlockTime" value="60"/>
</appSettings>
<connectionStrings>
<add name="AccessDatabaseACC" connectionString="Provider=Microsoft.ACE.OLEDB.12.0; Data Source=C:\\yourdatabase.accdb; Persist Security Info=False;" providerName="System.Data.OleDb"/>
<add name="AccessMSSQL" connectionString="Data Source=.\MSSQLSERVER2016; Initial Catalog=AccessMSSQL; User Id=xxxxx; password=xxxxx" providerName="System.Data.SqlClient"/>
<add name="Odbc" connectionString="DRIVER=\{MySql ODBC 8.0 Unicode Driver}; Server=localhost; Database=yourdatabase; User=xxxxx; Password=xxxxx" providerName="System.Data.Odbc"/>
</connectionStrings>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IServiceSoap"/>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://192.168.205.14/ServiceVerifier/ServiceSoap.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IServiceSoap" contract="ServiceSoapNiV.IServiceSoap" name="BasicHttpBinding_IServiceSoap"/>
</client>
</system.serviceModel>
</configuration>
Web.config – appSettings elements
To configure the Net iD Access Server web service appSettings elements, make the settings in the web.config file as described below. The settings are made using the following syntax:
<appSettings>
<add key="key" value="value"/>
</appSettings>
key | Description | Value | ||
---|---|---|---|---|
DatabaseConnectionType |
Type of database connection. |
Value: |
||
TraceDebugMode |
Filter the trace logs. |
true, false |
||
OnlyRequestTrace |
Show one request per line in the trace. |
true, false |
||
SOAPTrace |
Record SOAP traces. |
true, false |
||
PnrDenied |
Deny client requests with personal identity number. |
true, false |
||
AllowedPnrSize |
Allowed length of the personal identity number. |
MIN_VALUE, MAX_VALUE
|
||
AdditionalValidChars |
Allow for special characters. |
|||
AllowPublicData |
Allow to record public data, such as shared secret and user ID, to card. |
true, false |
||
Customs |
Specify a text string of your own choice, as a label to the signature message. |
string |
||
MaxLogoSize |
Max logo size. |
size in kB |
||
RegisterDenied |
Prevent users from registering services. |
true, false |
||
MinClientVersion |
Allow only clients with this version and above. |
Version number |
||
MinClientGUIVersion |
Allow only GUI versions with this version and above. |
Version number |
||
DefaultServiceName |
Default service name. |
string |
||
DefaultServiceImage |
Default service image. |
PNG image in Base64 format. |
||
SettingsXML |
Use settings.xml in Base64 format instead of the file. settings.xml is priority. |
Content of settings.xml in Base64 format. |
||
|
Blocks all requests during the specified time if a user has an active authenticate or signature request and a new request is issued. This prevents a third party from getting a false request approved in a man-in-the-middle attack. |
Value in seconds. |
RequestBlockTime
When an authentication or signature request is blocked, the service gets no notification on when it can do a new request. Use the SOAP exeption to notify user.
<?xml version="1.0" encoding="utf-8"?>
<RpFault xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<faultStatus>USER_BLOCKED</faultStatus>
<detailedDescription>For security reasons authentications and signatures for this account has been temporarily blocked.</detailedDescription>
</RpFault>
Web.config – connectionStrings elements
The connectionStrings setting is necessary if you are not using file system mode.
To configure the Net iD Access Server web service connectionString elements, make the settings in the web.config file as described below. The settings are made using the following syntax:
<connectionStrings>
<add name="name" connectionString="connectionString" providerName="providerName"/>
</connectionStrings>
name | connectionString[1] (example) | providerName | Description | ||
---|---|---|---|---|---|
AccessDatabaseACC |
Provider=Microsoft.ACE.OLEDB.12.0; |
System.Data.OleDb |
Connection string for MS Access Database.
|
||
AccessMSSQL |
Data Source=.\MSSQLSERVER2016; |
System.Data.SqlClient |
Connection string for MS SQL Server. |
||
Odbc |
DRIVER={MySql ODBC 8.0 Unicode Driver}; |
System.Data.Odbc |
Connection string for ODBC connection.
|
Web.config – OCSP settings
The OCSP settings let Net iD Validator communicate with the OCSP responder.
To configure the Net iD Access Server web service ODBC settings, make the settings in the web.config file as described below. The settings are made using the following syntax:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IServiceSoap"/>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://192.168.205.14/ServiceVerifier/ServiceSoap.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IServiceSoap" contract="ServiceSoapNiV.IServiceSoap" name="BasicHttpBinding_IServiceSoap"/>
</client>
</system.serviceModel>
</configuration>
XML element | XML attribue | Description |
---|---|---|
binding |
name |
Name of the binding. Value: BasicHttpBinding_IServiceSoap |
endpoint |
address |
Web address (URL) of the Net iD Validator. The certificate contains the URL to the OCSP responder. Value: URL |
binding |
Specifies how to communicate with the endpoint. Do not change this value. Value: basicHttpBinding |
|
bindingConfiguration |
Configuration of the binding. Do not change this value. Value: BasicHttpBinding_IServiceSoap |
|
contract |
A contract that identifies the available operations. Do not change this value. Value: ServiceSoapNiV.IServiceSoap |
|
name |
Name of the binding. Do not change this value. Value: BasicHttpBinding_IServiceSoap |