Skip to main content
Skip table of contents

Server initial configuration

SMTP Gateway Configuration
Configure proxy for Outbound connections

1. Configure Access to the nodes

To access the VeridiumID application the internal and external FQDNs will need to be configured either in the clients DNS or directly into the hosts file on the local machine.

List of FQDNs:

CODE 
# In case of SNI deployment
# Internal FQDNs
Admin Dashboard : admin-intFQDN
Self Service Portal: ssp-intFQDN
Websec API: intFQDN
Shibboleth Internal (Identity Provider): shib-intFQDN
# External FQDNs
Shibboleth External (Identity Provider): shib-extFQDN
Self Service Portal: ssp-extFQDN
DMZ Websec API: dmz-extFQDN
Websec API: extFQDN
# In case of Ports deployment
intFQDN: 9444, 9987, 443, 8945
extFQDN: 9987, 443, 8944, 8544
# Where intFQDN and extFQDN are the FQDNs provided during the installation.

2. Access the Admin Dashboard and generate the default admin certificate

After configuring access to the Admin Dashboard’s FQDN connect to it using the following URL:

  • in case of SNI deployment: https://admin-intFQDN/veridium-manager

  • in case of ports deployment: https://intFQDN:9444/veridium-manager

After accessing the Admin Dashboard click on Create Default Administrator:

 

image-20240412-115550.png

Then complete the form and click on Save to download the Admin certificate:

 

image-20240412-115734.png

After downloading the certificate add it to your local machine’s keystore or to the browser’s keystore and access the Dashboard in a new browser session, or an incognito window.

During the new access provide the certificate to access the Dashboard and accept the license:

image-20240412-120058.png

3. Configure Services

For VeridiumID to work the following services will need to be configured:

  • LDAP connection

  • Email server connection (*Optional)

  • Twilio/SMS Gateway connection (*Optional)

  • License configuration

All services mentioned above can be configured by accessing the Quick Setup tab. To access this tab you can either:

  • Click on OK on the following notification (appears only when the services are not already configured → after the installation):

image-20240412-121307.png

 

  • Select the Quick Actions icon from the Admin Dashboard (in the right side of the screen):

image-20240412-121343.png

3.1 Configure LDAP connection

To configure the LDAP connection complete the following form with the correct credentials:

image-20240412-121709.png

Make sure to have connectivity between the VeridiumID Webapplication nodes and the LDAP server. To check connectivity, connect using SSH to the VeridiumID nodes and run the following command: nc -vz LDAP_SERVER_IP PORT

To save the LDAP connection, first click on Test Connection and afterwards on Continue.

image-20240412-122027.png

The next step will be to select which LDAP groups will be allowed to use VeridiumID applications, or leave the Allowed Groups empty to allow all groups. Click on Continue to go to the next step.

image-20240412-122212.png

This step above is OPTIONAL and can be skipped. During this step you can test the LDAP query by clicking on Search User. To go to the next step click on Continue.

3.2 License configuration

During this step the VeridiumID license will be added to the server.

 

image-20240412-122421.png

Either Drag & Drop the license archive or click in order to browse for the license archive.

In order to obtain a valid license archive, please contact VeridiumID.

After selecting the license archive click on Continue to advance to the next step.

3.4 Email Server configuration

During this step the configuration of the Email server will be made.

 

image-20240412-122725.png

After completing the form, to test the connection click on Send Test Email and provide a valid email address.

 

image-20240412-122830.png

After testing the email configuration click on Continue to advance.

3.4 SMS server configuration

During this step you can configure either the SMS Gateway or add you Twillio account in order to enable SMS usage from VeridiumID server.

 

image-20240412-123219.png

To test the configuration click on Send Test SMS and provide a valid phone number (with country code):

 

image-20240412-123357.png

To advance click on Continue.

3.5 Finishing the configuration

During this step the QR code used for enrolling VeridiumID mobile applications will be presented.

image-20240412-123450.png

To finish the configuration click on Finish.

4. Update domain certificates

During the deployment a self-signed certificate is generate in order to complete the deployment.

4.1 Using one certificate for Veridium

Applies on the following cases:

  • same FQDN for internal and external services

  • different FQDN for internal and external services but the SSL termination is done in a different layer for external services

If Veridium is not used as a first SSL termination layer the self signed server.pem client certificate must be changed with a trusted one.

  1. In Veridium manager, navigate to Tools → Haproxy configuration

  2. In the Certificates tab select the type of the trusted client certificate that needs to be uploaded. The possible options:

    1. PKCS12 - upload a certificate chain that contains also the private key and add the required password

    2. CERTIFICATE - upload the certificate chain and private key as separate files

      image-20250704-114829.png

      After uploading the certificate chain, the certificates part of the chain and the private key type are displayed below the upload boxes.

  3. Click on Save button

  4. When saving, the uploaded certificate chain is also added in the Veridium server Truststore

  5. To apply the uploaded certificate on the server nodes a specific command must be ran on the webapp nodes. To do this, navigate to Settings → Nodes

  6. On the right hand side panel expand the Haproxy category

  7. Click on the “change server.pem” command

    D84156A7-D763-4F3A-ADCA-BB8AFF1AC701-20250703-152509.png

  8. A pop-up will be displayed. Select from the drop-down field the all webapp nodes and click on Run

    image-20250704-135438.png

     

  9. After the command is ran, the result status will be displayed for each node in the Nodes section.

  10. If the command ran successfully on a node then the corresponding line in the nodes list will turn green

  11. If the command failed on a node, then the corresponding line will turn red. To check the logs of the command execution on one node, click on the View actions on the corresponding line. Each execution log can be opened and see the status.

    image-20250704-130408.png

4.2 Using 2 client certificates for Veridium (internal and external)

Applies when:

  • Veridium is the first layer of SSL termination and there are used different internal and external FQDN

To change it the VeridiumID server will require two certificates containing the certificate and full-chain of it (one for the internal domain and another for the external).

The certificates can be in PKCS12, P7B, PEM format.

Before adding the certificates, the haproxy configuration template must be changed from the templates section to accommodate the serverExt.pem and serverInt.pem client certificates. By default, the platforms uses the server.pem client certificate for the use case when the SSL termination is done on another layer.

Changing the Haproxy configuration

  1. In Veridium manager go to Tools → Tenant configuration

  2. In the templates tab click on “haproxy”

  3. There are 2 files that will be displayed. Click on the View icon for haproxy.cfg file to see the content on the right-hand side

  4. in the content box, search for the string “server.pem”. For each occurrence found, comment the line (by adding # in front of it) where “server.pem” was found and uncomment the commented line below which sets the serverInt or serverExt certificates, as in the example below. There should be 10 occurrences where this change needs to be made.

    image-20250704-134410.png

  5. Save the configuration

  6. Go to Tools-> Nodes

  7. On the right hand side panel, expand the Haproxy category and click on “change Haproxy.cfg” command.

    image-20250704-135244.png

  8. A pop-up will open where the webapp nodes must be selected for the template change to be applied.

    image-20250704-135413.png

     

  9. Click on the Run button

Change serverExt.pem

  1. In Veridium manager, navigate to Tools → Haproxy configuration

  2. In the Certificates tab select the type of the trusted client certificate that needs to be uploaded for external traffic. The possible options:

    1. PKCS12 - upload a certificate chain that contains also the private key and add the required password

    2. CERTIFICATE - upload the certificate chain and private key as separate files

      image-20250704-114829.png

      After uploading the certificate chain, the certificates part of the chain and the private key type are displayed below the upload boxes.

  3. Click on Save button

  4. When saving, the uploaded certificate chain is also added in the Veridium server Truststore

  5. To apply the uploaded certificate on the server nodes a specific command must be ran on the webapp nodes. To do this, navigate to Tools → Nodes

  6. On the right hand side panel expand the Haproxy category

  7. Click on the “change serverExt.pem” command

    image-20250704-141144.png

  8. A pop-up will be displayed. Select from the drop-down field the all webapp nodes and click on Run

    4BA99A67-0326-423F-B7F5-5FDC98406E61_4_5005_c-20250704-121132.jpeg

     

  9. After the command is ran, the result status will be displayed for each node in the Nodes section.

  10. If the command ran successfully on a node then the corresponding line in the nodes list will turn green

  11. If the command failed on a node, then the corresponding line will turn red. To check the logs of the command execution on one node, click on the View actions on the corresponding line. Each execution log can be opened and see the status.

    image-20250704-130408.png

Generate and change serverInt.pem

To be able to add a client certificate for the internal traffic, a valid certificate must be generated from the internal certificate authority service.

Generate CSR

  1. In Veridium manager go to Tools → Haproxy configuration → CSR tab

  2. Click on the view icon for the HAPROXY_CNF_BASE64

  3. Add the necessary details for the CSR

    591E775D-C44B-46EC-8A71-9334DF10A0AE-20250703-141539.png

  4. Click on Save

  5. Click on Generate private key (this step is required if the client doesn’t already have a private key to be used). If the client already has a private key, it must be uploaded in veridium manager using the “Upload private key” button

  6. Click on generate CSR and save the file

  7. Access your internal Certificate authority service to generate the internal certificate (Below example is for Microsoft Active Directory Certificate Services)

    A4FAA8F4-9D1C-450A-A350-994B49AC480D_1_105_c-20250704-122730.jpeg

  8. Select “Get a certificate”

    28033C89-476B-407E-B501-14DE4BEAFA6F-20250703-152130.png

  9. Select “advanced certificate request”

    DF221814-6330-4330-99A2-280451C710C0_1_105_c-20250704-122730.jpeg

  10. Add the content of the CSR saved at step 6 and select the Certificate Template = Web Server 10 and Submit

    1B7191EE-AB73-43BB-A8A6-6631707C737B_1_105_c-20250704-122730.jpeg

  11. Download the certificate chain Base64 encoded

    C6C1B673-3017-4BE8-A9B1-17A6C7107AC9_1_105_c-20250704-122730.jpeg

  12. Get the private key generated at step 5 ( or the private key already owned) from Tools → Haproxy configuration → Config details tab -> Download HAPROXY_PUBLIC_CERT_KEY_PEM_BASE64

  13. Go to Tools → Haproxy configuration → Certificates Tab and select Type=CERTIFICATE

    7F2FE4E4-65C6-4DAB-9335-D47EB5B0E622_1_105_c-20250704-122730.jpeg

  14. Upload the generated certificate chain and the private key and click save

  15. To apply the uploaded certificate in the serverInt.pem file on the server, Go to Tools → Nodes

  16. Expand the Haproxy category and click on “change serverInt.pem” command

  17. In the displayed pop-up select the webapp nodes and click on Run

  18. The status of the execution will be displayed for each node.

4.3 Enable Certificate Pinning

Access the Admin Dashboard and navigate to Settings → Certificates → Pinning and enable the feature from the right side of the screen.

 

image-20240412-130223.png

After this to create pins for the new domain certificates click on Upload Certificate for pin certificate and upload the new External domain certificates.

5. Configuring and Managing Email Alerts & Lost Mode Cron Jobs in Veridium Manager

Configuring and Managing Email Alerts & Lost Mode Cron Jobs in Veridium Manager

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close