OpenID Connect server

OpenID Connect server allows to authenticate users in the Axidian Certiflow web applications using the OpenID Connect protocol.

It is mandatory for Axidian Certiflow Linux installations and optional for Windows installations. Install the OpenID Connect server before you install the Axidian Certiflow server.

info

OpenID Connect (OIDC) is an authentication and authorization protocol built on OAuth 2.0, which adds an identity layer to the OAuth framework. It enables applications to verify a user's identity and obtain basic profile information about them from an Identity Provider (IdP).

Follow the instructions for the operating system of the workstation where you plan to install the Axidian CertiFlow server.

Windows

1. To install the OIDC server, run the AxidianCertiFlow.Oidc.Server-<version number>.x64.en-us.msi file.
2. Install the Axidian CertiFlow server and select the OpenID Connect Authentication access control method in the server installation wizard.
3. Prepare a JWT signing certificate by following the instructions below.
4. Configure the OIDC server settings in the Configuration Wizard (Access Control → OpenID Connect).
5. Apply the settings on the Axidian CertiFlow server.

Prepare a JWT signing certificate

Use the web server certificate as the signing certificate.

To prepare the signing certificate:

1. Install the signing certificate in the Local Computer – Personal store.
2. Grant the IIS full access to the signing certificate's private key.
   1. Open the Certificates snap-in on the workstation where the OIDC server is installed.
   2. Right-click the certificate, select All tasks → Manage Private Keys... and click Add.
   3. In the Location menu, specify the server.
   4. In the Enter the object names to select field, specify the local group IIS_IUSRS, click Check Names, and OK.
   5. Set the permissions to Full Control and Read.
   6. Click Apply.

Edit database settings

By default, the OIDC server writes data to a local SQLite database. The SQLite database is intended for installations with a single Axidian CertiFlow server. The OIDC server's data is stored in the C:\inetpub\wwwroot\certiflow\oidc\data catalog.

Other than SQLite, you can use a Microsoft SQL or PostgreSQL database. To configure the connection to Microsoft SQL or PostgreSQL, edit the OIDC server's configuration file appsettings.json.

Microsoft SQL

1. Create a database in SQL Server Management Studio.
2. Open the OIDC server's configuration file appsettings.json and edit the defaultConnection and provider sections. The following example uses SQL authentication for the database connection.
   • "defaultConnection": "Data Source=0;Initial Catalog=oidcdb;Persist Security Info=True;User ID=servicesql;Password=p@ssw0rd;TrustServerCertificate=True"
   • "provider": "mssql"
3. Restart the Axidian CertiFlow OIDC application pool to apply the changes.
   1. Open the Internet Information Services (IIS) Manager and select Application Pools in the left menu.
   2. Select the Axidian CertiFlow OIDC application and click Recycle in the right menu.

Example parameters for connecting to Microsoft SQL

"connectionStrings": {
  "defaultConnection": "Data Source=0;Initial Catalog=oidcdb;Persist Security Info=True;User ID=servicesql;Password=p@ssw0rd;TrustServerCertificate=True"
},
"database": {
  "provider": "mssql"
},

PostgreSQL

1. Create a database in PostgreSQL.
2. Open the OIDC server's configuration file appsettings.json and edit the defaultConnection and provider sections. If you are using a .pgpass file, do not include the Password directive in the connection string.
   • "defaultConnection": "Host=172.17.0.11;Port=5432;Database=oidcdb;Username=servicepg;Password=p@ssw0rd"
   • "provider": "pgsql"
3. Restart the Axidian CertiFlow OIDC application pool to apply the changes.
   1. Open the Internet Information Services (IIS) Manager and select Application Pools in the left menu.
   2. Select the Axidian CertiFlow OIDC application and click Recycle in the right menu.

Example parameters for connecting to PostgreSQL

"connectionStrings": {
  "defaultConnection": "Host=172.17.0.11;Port=5432;Database=oidcdb;Username=servicepg;Password=p@ssw0rd"
},
"database": {
  "provider": "pgsql"
},

Linux

1. Install the Axidian CertiFlow server. The OIDC server is part of the Axidian CertiFlow server.
2. Prepare a JWT signing certificate by following the instructions below.
3. Configure the OIDC server settings in the Configuration Wizard (Access Control).
4. Apply the settings on the Axidian CertiFlow server.

Prepare a JWT signing certificate

Use the web server certificate as the signing certificate.

To prepare the signing certificate:

1. Create a subcatalog in the home catalog of the user account configured to run the OIDC server (www-data by default).

   sudo mkdir -p /var/www/.dotnet/corefx/cryptography/x509stores/my/
   How to check if the www-data user exists

   1. To check if the www-data user exists, run the following command:

      /etc/passwd | grep www-data
      Example output if the www-data user exists

      www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

   2. If the www-data user does not exist, you can create it or change the user for running the Axidian CertiFlow services.

      To create the www-data user and log in, run the following command:

      sudo useradd -m -d /var/www -s /usr/sbin/nologin www-data
      sudo su -s /bin/sh www-data

      To log in as any other user, run the following command and specify the username in the User directive.

      /etc/systemd/system/certiflow-<service name>.service

2. Merge the certificate file and the key file into a PFX file. Place the PFX file in a subcatalog of the user's home catalog.

   caution

   When you run the command, the openssl utility prompts you to set a password for the PFX file. Leave the PFX file without a password: press Enter twice.

   sudo openssl pkcs12 -export -out /var/www/.dotnet/corefx/cryptography/x509stores/my/PFXFILE.pfx -inkey SSL.key -in SSL.crt

3. Set the 600 permission for the PFX file.

   sudo chmod 600 /var/www/.dotnet/corefx/cryptography/x509stores/my/PFXFILE.pfx

4. Obtain the signing certificate's thumbprint.

   sudo openssl x509 -fingerprint -in SSL.crt -noout | tr -d ':'
   Example of a certificate thumbprint output:

   SHA1 Fingerprint=ADB613EC1A1692310D83C81F269C098A3DBD4EE0

Edit database settings

By default, the OIDC server writes data to a local SQLite database. The SQLite database is intended for installations with a single Axidian CertiFlow server. The OIDC server's data is stored in the /opt/axidian/certiflow/oidc/data catalog.

Other than SQLite, you can use a Microsoft SQL or PostgreSQL database. To configure the connection to Microsoft SQL or PostgreSQL, edit the OIDC server's configuration file appsettings.json.

Microsoft SQL

1. Create a database in SQL Server Management Studio.

2. Open the OIDC server's configuration file appsettings.json and edit the defaultConnection and provider sections. The following example uses SQL authentication for the database connection.

   • "defaultConnection": "Data Source=0;Initial Catalog=oidcdb;Persist Security Info=True;User ID=servicesql;Password=p@ssw0rd;TrustServerCertificate=True"
   • "provider": "mssql"

3. Restart the OIDC service to apply the changes.

   sudo systemctl restart certiflow-oidc.service

Example parameters for connecting to Microsoft SQL

  "connectionStrings": {
    "defaultConnection": "Host=0;Port=5432;Database=oidcdb;Username=servicesql;Password=p@ssw0rd"
  },
  "database": {
    "provider": "mssql"
  },

PostgreSQL

1. Create a database in PostgreSQL.

2. Open the OIDC server's configuration file appsettings.json and edit the defaultConnection and provider sections. If you are using a .pgpass file, do not include the Password directive in the connection string.

   • "defaultConnection": "Host=172.17.0.11;Port=5432;Database=oidcdb;Username=servicepg;Password=p@ssw0rd"
   • "provider": "pgsql"

3. Restart the OIDC service to apply the changes.

   sudo systemctl restart certiflow-oidc.service

Example parameters for connecting to PostgreSQL

  "connectionStrings": {
    "defaultConnection": "Host=172.17.0.11;Port=5432;Database=oidcdb;Username=servicepsql;Password=p@ssw0rd"
  },
  "database": {
    "provider": "pgsql"
  },