VeridiumID Server On-Prem - prerequirements & Network ACL

1. Common baseline

Before installing or deploying the VeridiumID platform on-premises, several infrastructure prerequisites must be satisfied to ensure a smooth, secure, and stable installation.
This chapter outlines all environmental, network, and system-level requirements that must be in place prior to installation.

These pre-requirements apply to all deployment models — from single-node PoC setups to large multi-tier enterprise clusters.

For any on-prem VeridiumID deployment:

OS – Supported RHEL/Rocky / compatible Linux for VeridiumID Server and ILP, Windows Server for RA/EP and AD CS.
Time/NTP – All nodes (Linux and Windows) must be time-synchronized (Kerberos, TLS and token validation are all time-sensitive).
DNS – Forward and reverse records for all servers; stable FQDNs for Veridium URLs (web, DMZ, admin) and ILP endpoints.
PKI – Enterprise CA for TLS and Windows logon certificates (AD CS). External/public CA or internal CA for external-facing HTTPS endpoints.

2. Network Access List (Firewall and Connectivity)

VeridiumID services require specific inbound and outbound ports to communicate between application components, persistence nodes, and client devices.
Administrators should work with network and security teams to define and open the following network access list prior to deployment, based on deployemnt type and

Service Description	Source	Destination	Port	Protocol	Bi-directional
Deployment Node	Linux Deployment Server (ex. normally, it is used one of the nodes; it should have RHEL8/RHEL9 compatible server)	WEBAPP + PERSISTENCE	22	TCP	No

Web Service to persistence	WEBAPP	PERSISTENCE	2181, 9042, 9092, 9095	TCP	No
Persistence Service	PERSISTENCE	PERSISTENCE	2181, 2888, 3888,7000, 7001, 7199, 9092, 9042, 9095	TCP	No
if ILP installed	WEBAPP ILP	PERSISTENCE	2181, 9042, 9192, 9195, 9193	TCP	No
if ILP installed	WEBAPP	WEBAPP ILP	443	TCP	No
if ILP installed	PERSISTENCE	PERSISTENCE	9193, 9192, 9195

Web Service - if port installation	Load Balancer	WEBAPP	intern: 443, 9444, 8945, 9987* extern: 443, 8544, 8944, 9987*
Web Service - if FQDN installation	Load Balancer	WEBAPP	intern: 443 extern: 443
Web Service	Other Services	Load Balancer	can be 443 or other ports, based on customer implementation.

RAEP	Windows RAEP Servers	Intranet Balancer for WEBAPPS	443	TCP	No
RAEP	Windows RAEP Servers	Load Balancer for ADCS - PKI (active-active setup)	443, 389, 135, 139, 49152 - 65535	TCP	No
RAEP	Windows clients W11/W10	Load Balancers for Windows RAEP Servers	443	TCP	No
RAEP	Load Balancers for Windows RAEP Servers	Windows RAEP Servers	443	TCP	No
CP	Windows clients W10/W11 Credential Provider	Intranet Load Balancers for Webapps	443, 8945	TCP	No
WEBAPP Servers	WEBAPP	ADDS - LDAP	636 or 3269 (or 389,3268)	TCP	No

If access to internet is done via Reverse proxy	WEBAPP	Reverse Proxy	Reverse proxy port
DNS	All Nodes	DNS Server	53	UDP	Yes
NTP	All Nodes	NTP Server	123	UDP	No
SMTP	All Nodes	SMTP	25	UDP	No
SIEM	All Nodes	SIEM
SMS Gateway	WEBAPP (via reverse proxy or direct)	SMS Gateway, if required	443	TCP	No

SSO Integration	SSO	Intranet Load Balancers for Webapps	443, 8945	TCP	No
CITRIX Integration	Storefront, Netscaler	Intranet Load Balancers for Webapps	443, 8945	TCP	No
CITRIX Integration	VDA	Domain Controller	389, 636, 3268, 3269	TCP	No
RADIUS	Client Freeradius Server	WEBAPP	2083	TCP	No
RADIUS	Client Freeradius Server	WEBAPP	1812, 1813	UDP	No

Admin (WebAPP and Persistence Nodes)	Vendor PCs - MFA Admin PCs	WEBAPP and Persistence nodes	22	TCP	No
Admin (Windows RAEP Servers)	Vendor PCs - MFA Admin PCs	Windows RAEP Servers	3389	TCP	No

Google push - Android Verdium Application	WEBAPP (via reverse proxy or direct)	fcm.googleapis.com oauth2.googleapis.com	443	TCP	No
Apple push iOS Verdium Application	WEBAPP (via reverse proxy or direct)	api.push.apple.com	443	TCP	No
Fido authenticators metadata	WEBAPP (via reverse proxy or direct)	mds.fidoalliance.org	443	TCP	No
Geolocation database synchronization	WEBAPP (via reverse proxy or direct)	download.maxmind.com	443	TCP	No
Mobile Device commercial data	WEBAPP (via reverse proxy or direct)	storage.googleapis.com	443	TCP	No
Map display in Admin Dashboard and SSP frontends	WEBAPP and client computers (via reverse proxy or direct)	maps.geoapify.com	443	TCP	No
twilio - optional, for sending sms-es	WEBAPP (via reverse proxy or direct)	api.twilio.com	443	TCP	No
Veridium Repo -optional, to download new updates packages	WEBAPP and PERSISTENCE(via reverse proxy or direct)	veridium-repo.veridium-dev.com	443	TCP	No

3. DNS Entries

Correct DNS configuration is critical for both certificate validation and user access.
Depending on your deployment model (Ports or FQDN), you must create DNS entries for all VeridiumID services.

During deployment, you can choose whether to use one or different FQDNs for intenal and external deployemnt.

3.1 VeridiumID FQDN deployemnt DNS entries

Service	Example FQDN	Notes
Authentication (websec)	`external.company.com`	Core authentication API/UI
Registration (dmzwebsec)	`dmz-external.company.com`	Exposed in DMZ
Self-Service Portal (ssp)	`ssp-external.company.com`	User-facing portal (optional, used only for registration)
Federation (shibboleth)	`shib-external.company.com`	For SAML/SSO integrations

Authentication (websec)	`interal.company.local`	Core authentication API/UI
Admin Portal	`admin-interal.company.local`	Restricted internal access only
Self-Service Portal (ssp)	`ssp-interal.company.local`	User-facing portal (optional, used only for registration)
Federation (shibboleth)	`shib-interal.company.local`	For SAML/SSO integrations

3.2 VeridiumID Port deployemnt DNS entries

Service	Example FQDN	Notes
Authentication (websec)	`external.company.com`	All external applications exposed on different ports
Registration (dmzwebsec)	`interal.company.local`	All internal applications exposed on different ports

3.3 RA/EP DNS entries

Service	Example FQDN	Notes
RA/EP DNS entry	`raep.company.local`	All external applications exposed on different ports

3.4 ILP DNS entries

Service	Example FQDN	Notes
ILP ingestion	`ingestion.ilp.company.local`
ILP tenant	`tenant.ilp.company.local`
ILP users	`users.ilp.company.local`

4. Certificates and Security Configuration

All VeridiumID components communicate over TLS (HTTPS). Valid, trusted certificates must be prepared in advance.

There should be 4 certificates:

for external veridium services. normally a wildcard is used. If not, it should have in SANs all 4 entries.
for internal veridium services. It should contain all internal FQDN entries as SANs.
for RA/EP service.
for ILP services, one certificate with all 3 additional SANs.

4.1 Certificate Requirements

Minimum supported protocol: TLS 1.2
Key length: 2048-bit or 4096 RSA
there should be one certificate for internal and one for external services (with additional SANs or a wildcard certificate).
Certificates must be issued by an enterprise or public CA trusted by all endpoints.

4.2 Certificate Files

It should contain the following (it should be either in pem format or in p12 format)

Server certificate (.crt / .pem)
Private key (.key) — with restricted permissions
Intermediate and root CA chain

5. Server Prerequisites and Preparation

VeridiumID servers run on modern 64-bit Linux distributions. The following baseline preparation must be performed before installation.

5.1 Supported Operating Systems for VeridiumID and ILP

Red Hat Enterprise Linux (RHEL) 8 or 9
Rocky Linux 8 or 9

5.1.2 System Configuration Checklist

Update OS packages (optional):
CODE
```
sudo yum update -y
```
Install essential utilities. An official repo should be available, to be able to install java and different other components.
CODE
```
sudo yum install -y net-tools wget unzip lsof curl chrony openssl
```
Set hostnames correctly and ensure /etc/hosts entries are consistent with DNS.
Configure NTP synchronization (chrony or ntpd) to ensure consistent time across nodes.
Disk partitioning:
- Use separate mount point for /vid-appif possible. On this location all the application data will be kept.
- allocate on this disk the necessary space, as per requirements (mininum 100gb).

5.2 Supported Operating Systems for RA/EP

Windows Server 2022

6. Service Accounts and other Requirements

Service account	Description	Notes
LDAP bind	`User account with Read permissions to Active Directory or alternative User Directory`	This account will be used for LDAP bind.
CA Cert (optional)	`CA Cert in base64 format if connection is made using LDAPS`	The CA that issued the domain controller's certificate to enable LDAP/S – 636 or 3269 ports
SMTP connection	`A user to connect to SMTP server, to be able to send emails.`	This user will be used to connect to SMTP server to send email.
*SMS user	`A user to connect to SMS gateway server, to be able to send SMSs.`	This user will be used to connect to send SMS messages (by default Twillio is supported)
root/other linux user	`A priviledged user is needed during the installation of the product. It can be root or other user that have full sudo priviledges.`	The privileges are needed only for installation of the product.
SPNego service account	A service account in local directory for SPNego flow.	In addition to the service account, a keytab must be generated for SPNego configuration.

7. Verification Checklist

Before beginning the installation:
✅ Network ports open and tested between all nodes - Mandatory
✅ Linux servers updated, Java installed - Mandatory

✅ DNS entries resolve correctly (forward and reverse) - Optional, can be done after installation
✅ Valid TLS certificates installed or available - Optional, can be done after installation
✅ Service accounts created and verified - Optional, can be done after installation