Skip to content

get-authentication-data.md

Latest commit

 

History

History
61 lines (50 loc) · 3.38 KB

get-authentication-data.md

File metadata and controls

61 lines (50 loc) · 3.38 KB

Get authentication details for the Mobile ID client

The authentication of the Mobile ID client happens over two separate channels:

  • at connection time, during TLS handshake, the Mobile ID server authenticates the client via TLS client authentication. You therefore need a client certificate to be enrolled on Swisscom's side.
  • after the connection is established, there is another pair of Application Provider (AP) ID and password that need to be provided with each request sent to the Mobile ID service. This is provided by Swisscom during test/production account setup.
  • optionally, for the TLS handshake phase, you might also need the certificates of the CA that issued the server TLS certificate. If you are using the production version of Mobile ID, then those CAs should be already trusted on your host. If otherwise, the CA certificates need to be added in a Java truststore that is configured on the Mobile ID client before first run.

To start using the Mobile ID client, you need the client (and server) TLS certificates and the AP ID and password. Additionally, you need to ensure the IP's that your clients are using to access the Mobile ID service are configured and allowed on Mobile ID side (see side note #2 below).

Using these details

As an example, once you have the authentication data ready for the Mobile ID client, you can use it for configuring the client. Please continue to configure the client.

Side-note 1 - Generating a test certificate

Should you need it, here is a quick guide on generating a test certificate to be enrolled on the Mobile ID service. For these steps, a local installation of OpenSSL is needed (for Windows, the best option is to use the one that comes with GIT for Windows (see /usr/bin/openssl.exe)).

Generate first a private key:

openssl genrsa -des3 -out my-mid-client.key 2048

Then generate a Certificate Signing Request (CSR):

openssl req -new -key my-mid-client.key -out my-mid-client.csr

You will be asked for the following:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: YourCity
Locality Name (eg, city) []: YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]: TEST Your Company
Organizational Unit Name (eg, section) []: For test purposes only
Common Name (e.g. server FQDN or YOUR name) []: TEST Your Name
Email Address []: your.name@yourmail.com

Then generate a self-signed certificate:

openssl x509 -req -days 365 -in my-mid-client.csr -signkey my-mid-client.key -out my-mid-client.crt

This is the last step. Now you have a self-signed certificate that can be enrolled on Mobile ID service's side in order to get a test account.

Side-note 2 - Mobile ID client IP filtering

For security purposes, the client IPs that are allowed to access the Mobile ID main endpoint need to be added to a permission list before the client can connect and access the Mobile ID service. Please make sure during the setup process that the IPs that you and your internal clients are using to connect to the Mobile ID service are properly communicated and allowed on Mobile ID side.

In some cases, using an SSH tunnel and editing the HOSTS file on client's machine are required in order to have all the clients be able to access the Mobile ID service.