Configure Net iD Access Server

Configure settings.xml

Net iD Access Server is configurable through the file settings.xml located in the db folder selected during the installation. This section will explain the elements and the options available.

There are no xml attributes. A setting is represented by an xml element, and its value is the content of that element.

When the file /db/settings.xml is available, the Access Server will use it instead of the Base64-encoded version specified in /nias/web.config and /niac web.config. See Configure the web service (web.config).

Excerpt from the configuration file settings.xml:

<?xml version="1.0" encoding="utf-8"?>
<information>
  <trace>C:\inetpub\wwwroot\NiAS\trace\</trace>
  <path>C:\inetpub\wwwroot\NiAS\db\</path>
  <name>Net iD Access Server</name>
  <id>Z9</id>
  <image>logo.png</image>
  <site>infopage-folder</site>
  <Protect>yes</Protect>
  <AllowLogout>no</AllowLogout>
  <AllowOnBehalf>yes</AllowOnBehalf>
  <RequestTimeout>90</RequestTimeout>
  <algorithms>
    <algorithm>
      <name>RSA</name>
      <parameter>2048</parameter>
    </algorithm>
  </algorithms>
  <allowed>
    <authority>
      <name>SITHS Type 1 CA v1</name>
      <keyid>959D7C354DEDFDD2BA3F5FBD8A85F23C5B263FF4</keyid>
      <verify>
        <local>yes</local>
        <ocsp>no</ocsp>
        <host>no</host>
        <niv>no</niv>
      </verify>
      <keyusage>
        <authenticate>A0</authenticate>
        <signature>40</signature>
      </keyusage>
    </authority>
  </allowed>
</information>
Table 1. settings.xml element descriptions
Element Description

<trace>

The folder where the trace file is saved. To not save traces, rename the element to <notrace>, but keep the path intact to avoid having to reenter the path if trace needs to be turned on again.

Value: Path to folder

<path>

Absolute path to the database folder where this file and the database subfolder are located.

This value is used when DatabaseConnectionType is set to 0 (File system) in web.config.

<name>

Name of the NiAS server.

<id>

The id-value is allocated by SecMaker and is used by the Net iD Access app to speed up the process of finding the correct Net iD Access Server. You may NOT use a value of your own. Please contact SecMaker to get your range of id-values.

<image>

Relative file path to [installation path]/niac-folder pointing to a PNG-file with the server logo.

<site>

Path relative to [installation path]/niac-folder pointing to a webpage the client should display when viewing information about the server.

<protect>

Enable/disable encrypted communication between Net iD Access clients and Net iD Access Server.

Value: yes, no, Default: yes

<AllowLogout>

This setting should be considered as experimental. If set to yes and you continue to send collect calls, the Net iD Access Server will report card removal events as “user_cancel”. However, this happens only when the Net iD Access app is in focus.

Value: yes, no

<AllowOnBehalf>

Specify if the possibility to control the name and logo of the calling service when Net iD Access Server is used to support services not directly integrated with this protocol, i.e. federation scenarios. To use this setting you have to create your own Base64-encoded challenge.

Value: yes, no

<RequestTimeout>

Defines the time a request can be active. In this version the timeout is only triggered by an update from the client side for the status to be changed. The client must ask for a request or try to register a request for the status to be changed.

Value: 0 = Valid forever, x = Time in seconds, Default 0.

<test>

Include the menu item Test in the Net iD Access client, which points to a test site.

Value: Link to test site.

<algorithms>

<algorithm>

<name>

Algorithm name

<parameter>

Key length

<allowed>

List of authorities the NiAS server will accept.

<authority>

An authority entry.

<name>

Name of the authority.

<keyid>

Key id of the authority certificate.

<verify>

Certification verification settings.

<local>

Verify client certificate with CAPI using local settings for certification verification. niv and local should not both be activated.

Value: yes, no

<ocsp>

Indicates if the OCSP-response should be included in the COMPLETE-message.

Value: yes, no

<host>

Verifies that the sign request was issued by the same server that is trying to complete the request.

Value: yes, no

<niv>

Use Net iD Validator. The elements niv and local should not both be activated.

Value: yes, no

<SigningTime>

Time allowed to perform signing.

Values: 0 = No control of time format or time, 1 = Signing is allowed in x second(s)

<keyusage>

Encryption key settings

<authenticate>

Required certificate key usage flag for authentication.

<signature>

Required certificate key usage flag for signing.

Adding allowed authorities

Add authorities that the server accepts by inserting an <authority> element nested under the <allowed> element in the file settings.xml. See Configure settings.xml for element descriptions.

<allowed>
  <authority>
    <name>SITHS Type 1 CA v1</name>
    <keyid>959D7C354DEDFDD2BA3F5FBD8A85F23C5B263FF4</keyid>
    <verify>
      <local>yes</local>
      <ocsp>no</ocsp>
      <host>no</host>
      <niv>no</niv>
    </verify>
    <keyusage>
      <authenticate>A0</authenticate>
      <signature>40</signature>
    </keyusage>
  </authority>
</allowed>

Key usage flags for authentication, signing, and authority key identifier, must all match the values in the presented certificate. Otherwise, the certificate will not be allowed.

Add the relevant root certificates to Microsoft trust store to set "local" and "ocsp" to yes.
000010

The correct "keyid" can be taken from the field Authority Key Identifier in the client certificate, or from the field Subject Key Identifier in the issuing CA certificate:
000008
000009

Configure the calling services (ServerID.xml)

The files ServerID.xml are located in the folder db/server/id. Put the settings for each calling service in a separate ServerID.xml file.

It is recommended to automate the registry process by writing code using SOAP calls to generate files or database records.

ServerID.xml file example:

<?xml version="1.0" encoding="utf-8"?>
<server>
  <id>S00001</id>
  <address>192.168.200.169</address>
  <name>Calling service X</name>
  <image>iVBORw0...</image>
  <format>raw|2.16.840.1.101.3.4.2.1</format>
</server>
key Value (examples) Description

id

S00001

Server ID

address

192.168.200.16

IP address

name

Calling service X

Name of calling service.

image

S00001.png

Logo image of the calling service.

Value: file name or string with the Base64 encoded image

format

raw|2.16.840.1.101.3.4.2.1

Format for encrypted and/or signed data.

Value: pkcs7, raw

Configure the web service (web.config)

There are two web.config files, one in the nias folder and one in the niac folder. Not all elements described below are used in both the web.config files, but the elements that are shared must have the same value. It is therefore recommended to keep both the web.config files identical. This will also make maintenance easier.

An example excerpt from the web.config file:
<appSettings>
  <add key="DatabaseConnectionType" value="0"/>
  <add key="TraceDebugMode" value="true"/>
  <add key="OnlyRequestTrace" value="true"/>
  <add key="SOAPTrace" value="false"/>
  <add key="PnrDenied" value="true"/>
  <add key="AllowedPnrSize" value="10,50"/>
  <add key="AdditionalValidChars" value="xxxxx"/>
  <add key="AllowPublicData" value="1"/>
  <add key="Customs" value="xxxxx"/>
  <add key="MaxLogoSize" value="16"/>
  <add key="RegisterDenied" value="1"/>
  <add key="MinClientVersion" value="6.0"/>
  <add key="MinClientGUIVersion" value="6.0"/>
  <add key="DefaultServiceName" value="DEMO"/>
  <add key="DefaultServiceImage" value="xxxxx"/>
  <add key="SettingsXML" value="xxxxx"/>
  <add key="RequestBlockTime" value="60"/>
</appSettings>

<connectionStrings>
  <add name="AccessDatabaseACC" connectionString="Provider=Microsoft.ACE.OLEDB.12.0; Data Source=C:\\yourdatabase.accdb; Persist Security Info=False;" providerName="System.Data.OleDb"/>
  <add name="AccessMSSQL" connectionString="Data Source=.\MSSQLSERVER2016; Initial Catalog=AccessMSSQL; User Id=xxxxx; password=xxxxx" providerName="System.Data.SqlClient"/>
  <add name="Odbc" connectionString="DRIVER=\{MySql ODBC 8.0 Unicode Driver}; Server=localhost; Database=yourdatabase; User=xxxxx; Password=xxxxx" providerName="System.Data.Odbc"/>
</connectionStrings>

<configuration>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_IServiceSoap"/>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://192.168.205.14/ServiceVerifier/ServiceSoap.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IServiceSoap" contract="ServiceSoapNiV.IServiceSoap" name="BasicHttpBinding_IServiceSoap"/>
    </client>
  </system.serviceModel>
</configuration>

Web.config – appSettings elements

To configure the Net iD Access Server web service appSettings elements, make the settings in the web.config file as described below. The settings are made using the following syntax:

<appSettings>
  <add key="key" value="value"/>
</appSettings>
Table 2. appSettings/add attribute values.
key Description Value

DatabaseConnectionType

Type of database connection.

Value:
0 – File system
1 – Deprecated
2 – MS SQL Server
3 – Deprecated
4 – ODBC connection (MySql)

TraceDebugMode

Filter the trace logs.

true, false

OnlyRequestTrace

Show one request per line in the trace.

true, false

SOAPTrace

Record SOAP traces.

true, false

PnrDenied

Deny client requests with personal identity number.

true, false

AllowedPnrSize

Allowed length of the personal identity number.

MIN_VALUE, MAX_VALUE

In database mode MAX_VALUE must not be greater than 50.

AdditionalValidChars

Allow for special characters.

AllowPublicData

Allow to record public data, such as shared secret and user ID, to card.

true, false

Customs

Specify a text string of your own choice, as a label to the signature message.

string

MaxLogoSize

Max logo size.

size in kB

RegisterDenied

Prevent users from registering services.

true, false

MinClientVersion

Allow only clients with this version and above.

Version number

MinClientGUIVersion

Allow only GUI versions with this version and above.

Version number

DefaultServiceName

Default service name.

string

DefaultServiceImage

Default service image.

PNG image in Base64 format.

SettingsXML

Use settings.xml in Base64 format instead of the file. settings.xml is priority.

Content of settings.xml in Base64 format.

RequestBlockTime

This attribute value is valid from Net iD Access Server 2.3.1.

Blocks all requests during the specified time if a user has an active authenticate or signature request and a new request is issued. This prevents a third party from getting a false request approved in a man-in-the-middle attack.

Value in seconds. 0 drops the requests but immediately enables a new request.

RequestBlockTime

When an authentication or signature request is blocked, the service gets no notification on when it can do a new request. Use the SOAP exeption to notify user.

RequestBlockTime SOAP exception example
<?xml version="1.0" encoding="utf-8"?>
  <RpFault xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <faultStatus>USER_BLOCKED</faultStatus>
    <detailedDescription>For security reasons authentications and signatures for this account has been temporarily blocked.</detailedDescription>
  </RpFault>

Web.config – connectionStrings elements

The connectionStrings setting is necessary if you are not using file system mode.

To configure the Net iD Access Server web service connectionString elements, make the settings in the web.config file as described below. The settings are made using the following syntax:

<connectionStrings>
  <add name="name" connectionString="connectionString" providerName="providerName"/>
</connectionStrings>
Table 3. connectionStrings/add attribute values.
name connectionString[1] (example) providerName Description

AccessDatabaseACC

Provider=Microsoft.ACE.OLEDB.12.0;
Data Source=Full path to database;
Persist Security Info=False

System.Data.OleDb

Connection string for MS Access Database.

This is not tested for this release.

AccessMSSQL

Data Source=.\MSSQLSERVER2016;
Initial Catalog=AccessMSSQL
User Id=xxxxx
password=xxxxx

System.Data.SqlClient

Connection string for MS SQL Server.

Odbc

DRIVER={MySql ODBC 8.0 Unicode Driver};
Server=localhost;
Database=accessdb;
User=xxxxx;
Password=xxxxx

System.Data.Odbc

Connection string for ODBC connection.

This is not tested for this release.

Web.config – OCSP settings

The OCSP settings let Net iD Validator communicate with the OCSP responder.

To configure the Net iD Access Server web service ODBC settings, make the settings in the web.config file as described below. The settings are made using the following syntax:

<?xml version="1.0"?>
<configuration>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_IServiceSoap"/>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://192.168.205.14/ServiceVerifier/ServiceSoap.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IServiceSoap" contract="ServiceSoapNiV.IServiceSoap" name="BasicHttpBinding_IServiceSoap"/>
    </client>
  </system.serviceModel>
</configuration>
XML element XML attribue Description

binding

name

Name of the binding.

Value: BasicHttpBinding_IServiceSoap

endpoint

address

Web address (URL) of the Net iD Validator. The certificate contains the URL to the OCSP responder.

Value: URL

binding

Specifies how to communicate with the endpoint. Do not change this value.

Value: basicHttpBinding

bindingConfiguration

Configuration of the binding. Do not change this value.

Value: BasicHttpBinding_IServiceSoap

contract

A contract that identifies the available operations. Do not change this value.

Value: ServiceSoapNiV.IServiceSoap

name

Name of the binding. Do not change this value.

Value: BasicHttpBinding_IServiceSoap
1. The connectionString value options will change depending on system setup.