Managing the Network Configuration

ActivID AS Ports and Protocols

The following table outlines the network communications that are required to and from ActivID AS for the following configurations.

Protocol Direction Type Port Encryption Authentication
HTTPS Inbound TCP Configurable SSL/TLS Mutual PKI
HTTPS Inbound TCP Configurable SSL/TLS Server-based PKI and one additional form factor

ActivID AS requires an HTTPS port and, if a client application (for example, a RADIUS front end) or end users need to authenticate with PKI, you must also configure an HTTPS port with mutual authentication.

Note: Despite some of these network communications being available both in secure and insecure versions, this table only displays the secure version (for example, LDAP communication is available in LDAP only, but the table displays the secure version, LDAPS).

Reverse Proxy/Web Application Firewall Configuration

The following REST endpoints are used by the HID Approve™ mobile application and SDK to communicate to the authentication server:

Copy
GET https://<host>[:<port>]/idp/<DOMAIN>/authn/.well-known/openid-configuration
POST https://<host>[:<port>]/idp/<DOMAIN>/authn/token
POST https://<host>[:<port>]/idp/<DOMAIN>/authn/revoke
POST https://<host>[:<port>]/scim/<DOMAIN>/v2/Device/Provision/.search
GET https://<host>[:<port>]/scim/<DOMAIN>/v2/Device/Provision/<id>
PUT https://<host>[:<port>]/scim/<DOMAIN>/v2/Device/Provision/<id>

(where <id> represents a number)

These are endpoints that are likely to be accessed from the internet (as the clients are the end-user devices). Other endpoints are likely to be accessed only from specific sub-networks, with the possible exception of the ActivID Authentication Portal, depending on your deployment architecture.

Therefore, it is a good security practice, when applicable, to use a reverse proxy or web application firewall to filter and limit access from the internet to the aforementioned endpoints only. Other endpoints should only be reachable from specific sub-networks.

Set the System Date and Time

ActivID AS requires the synchronization of all application server clocks. You can achieve this manually or with any external time protocol. The recommended external time protocol is Network Time Protocol (NTP).

Set the time zone on the application server for ActivID AS to Coordinated Universal Time (UTC). This ensures no regional changes, such as daylight savings time, can occur to the server system clock.

Update the HTTPS Ports or Proxy Hostname/Ports

After installing the ActivID AS applications, you might need to update the ActivID Authentication Portal host/port configuration (for example, because of load balancer usage in front of several instances of the ActivID Authentication Portal).

To do so, edit the <ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties file to update the following properties:

Copy

Update the server HTTPS ports

AUTHENTICATION_SERVER_HTTPS_PORT=<new port>
Copy

Update the reverse proxy hostname and port

IDP_HOSTNAME=<new proxy hostname>
IDP_HTTPS_PORT=<new port>
Note: After each modification, restart the applications.
Important: In deployments with TLS mutual authentication, the dedicated port is 8443 so you must make sure that the:
  • Reverse proxy forwards the <public hostname:8443> requests to <AS-hostname:8443>.
  • Reverse proxy 8443 port is configured for mutual authentications (request a certificate, trust the client certificates).
  • End-user certificate is propagated to the ActivID IdP via a configurable HTTP header.

Configure Forward Proxy Support

In deployments with an outgoing/forward proxy (such outgoing HTTPS connections for push-based authentication), you need to configure the proxy in ActivID AS.

To configure a forward proxy:

  1. Edit the <ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties file to update the following properties:
    • F_PROXY_HOSTNAME - proxy address Host name or address of your proxy
    • F_PROXY_PORT - proxy port Listening port on your proxy
    • F_PROXY_USERNAME - proxy username If proxy authentication is required, enter the username
    • F_PROXY_USERPWD - proxy password If proxy authentication is required, enter the password
  1. To obfuscate the Proxy password, run the changePasswords.sh script as ftadmin using the following command:
Copy
su - ftadmin
/usr/local/activid/ActivID_AS/bin/changePasswords.sh

  1. At the prompt, enter 4 to obfuscate the Forward Proxy password.
  2. Restart the applications.