Step 5: Security configuration - Intergraph Smart API Manager - 2020 (4.0) - Installation & Upgrade

Intergraph Smart API Manager Installation and Configuration Guide

Language
English
Product
Intergraph Smart API Manager
Search by Category
Installation & Upgrade
Smart API Manager Version
4.0

These steps are completed on the Security Configuration page of the Smart API Manager Configuration Utility.

  1. In the System Administrator Account section, the Create system administrator account option is automatically selected if you are creating a new domain. This creates a local system administrator user for the Smart API Manager web application. A system administrator can create, edit, and delete data without limitation.

  2. If you are creating a local system administrator, enter a login (user name) and password for the user.

  3. In the Identity Server section, specify the SSL certificates used to sign the Identity and JWT access tokens handed out by the security token service (included with Smart API Manager). You can either select existing certificate(s) from the certificate store or click Generate to generate new certificate(s).

    Primary Certificate

    The primary signing certificate (required).

    Secondary Certificate

    The secondary signing certificate (optional).

    The certificate(s) selected must have a public key value of RSA (2048 bits). View the SSL certificate's Details to verify. The Generate command generates certificates that meet this requirement.

    If you click Generate, fill out the fields on the Generate X.509 Certificate dialog and click Generate on the dialog. The only required fields are Common Name and Expiration (days), which are pre-populated with default values. Certificates are generated in the Personal certificate store on the computer.

    Also, it is considered best practice to not use the same SSL certificate you have installed in IIS Server for securing communications. Whenever possible, install a separate X.509 certificate for token-signing.

    The security token service publishes the primary (and secondary) public key at:

    https://<servername>/Sam/oauth/.well-known/jwks, allowing token consumers to learn about the key material.

    The secondary certificate is useful for rolling over to a new signing certificate when the primary certificate is about to expire. Here's a typical workflow:

    1. Acquire the new X.509 signing certificate to replace the one that is expiring soon.

    2. Set this new certificate as the Secondary Certificate. Now, both certificates/keys are published at the jwks endpoint listed above.

    3. Wait 24 hours to allow Smart APIs (using this OAuth security token service) to update their configuration. Smart APIs should update their OAuth configuration every 12 hours.

    4. Set the new certificate as the Primary Certificate.

    5. Set the old (expiring) certificate as the Secondary Certificate for as long as needed (clients may be using long running tokens signed with the expiring key that still require validation).

  4. Select the Enable Integrated Windows Authentication (IWA) option to enable authentication based on Windows credentials via IWA.

  5. Select the Enable CA SiteMinder Authentication option to enable authentication based on CA SiteMinder credentials.

    Using CA SiteMinder as an identity provider requires detailed configuration via the SiteMinder Administrative user interface. For details on the configuration requirements, see the Identity settings topic in the Smart API Manager help.

  6. In the Default Provider box, select the identity provider used by default to sign into the Smart API Manager web client. If you choose an external identity provider, the Smart API Manager login page automatically redirects users to the login page for the selected provider. For a new domain, the default Local option cannot be changed (you must sign in as a local administrator before you can configure identities from any other provider).

    Local Credentials and Windows Credentials require the user to provide username and password, so the sign in page always displays. Integrated Windows Authentication (and other custom providers) can be used to enable SSO (single sign on) depending on the environment.

  7. Click Next and continue with Step 6: Review configuration.