3.2 Configuring the MyID Verification Service

The MyID Verification Service comprises the following web services:

• MobileAuthInternal

  This internal web service is used to initiate the authentication process; it must be called only by trusted systems. For this reason, the web service is installed in such a way that it requires 2-way TLS authentication. Any client that needs to call the internal web service must use a client certificate that is trusted by the IIS server on which the internal web service is running.

• MobileAuthExternal

  This external web service is used for mobile devices to send back authentication data. As such, this service does not require the same level of security configuration.

3.2.1 Configuring the client certificate

This is applicable to the MobileAuthInternal service only.

In addition to setting up 2-way TLS, you must allow the allowed client certificates, as IIS does not allow the required fine-grained control. You must add the thumbprint of the client certificate to the appsettings.Production.json file in the web service folder.

This file is the override configuration file for the appsettings.json files for the service. If the file does not already exist, you must create it in the same folder as the appsettings.json file.

By default, this is:

C:\Program Files\Intercede\MyIDMobileAuthenticator\InternalWS\

If you are creating a new appsettings.Production.json file, include the following content:

{
  "MyID":  {
    "AllowedClientCertThumbprints":  [
      "Add accepted client cert hex thumbprint value(s) here"
    ]
  }
}

Replace the text with a list of certificate thumbprints that have been issued for client systems to use; for example:

"AllowedClientCertThumbprints": [
  "8dcd7b4f081143e1b9b0108bc88720ccd01fe163"
]

If you already have an existing appsettings.Production.json file, add the AllowedClientCertThumbprints entry to the MyID section.

You can find the certificate thumbprint in the Properties dialog of the certificate, on the Details tab, in the Thumbprint field.

Note: If you want to use an alternative authentication method in IIS instead of 2-way TLS, you must disable TLS in the configuration file. See section 3.2.7, Disabling 2-way TLS for the internal authentication service.

3.2.2 Configuring Firebase Cloud Messaging

This is applicable to the MobileAuthInternal service only.

The MobileAuthInternal web service uses Firebase Cloud Messaging (FCM) to send notification messages to MyID-provisioned mobile devices. To access FCM, the web service requires an authentication token; contact Intercede customer support to obtain your token file, quoting reference SUP-326.

Once you have received your Firebase token file:

1. Copy the file to the web service folder.

   By default, this is:

   C:\Program Files\Intercede\MyIDMobileAuthenticator\InternalWS\

2. Open a PowerShell window using the MyID web services user.

   This must be the same user as the one used for the MobileAuthInternalPool IIS application pool used by the MobileAuthInternal web service.

3. Run the following PowerShell command:

   .\DPAPIEncryptFile.ps1 firebase.oath.json

   This creates a file called firebase.oath.json.enc and removes the original file.

   Note: If Firebase token file you have been provided has a different name, specify that name instead of firebase.oath.json. The PowerShell script creates an encrypted version of the file with .enc appended to its filename; for example, if your token file is mytoken.oath.json, the script creates an encrypted file called mytoken.oath.json.enc. You must then update the appsettings.Production.json file in the InternalWS folder to specify this filename; for example:

   Copy

   {
     "MyID":  {
       "FirebaseCredentialPath":  "mytoken.oath.json.enc",
       "AllowedClientCertThumbprints":  [
         "8dcd7b4f081143e1b9b0108bc88720ccd01fe163"
       ]
     }
   }

3.2.3 Configuring the database

Important: The installation procedure currently sets up the password for SQL Authentication incorrectly; if you are using SQL Authentication, you must follow the instructions in section 3.2.3.1, Encrypted database passwords below to log on as the MyID Authentication user and encrypt and store your database password for both the InternalWS and ExternalWS web services.

This is applicable to both the MobileAuthInternal service and the MobileAuthExternal web service.

The internal and external facing web services both require access to the MyID database and the specific authentication database.

You configure the databases when you install the web service; see section 3.1, Installing the verification service for details.

The database settings are stored in the appsettings.json file in each web service folder.

Important: The connection settings are updated when you run the installation program. If you have made any manual changes to the appsettings.json file, these are overwritten by the values you provide in the installer.

By default, these folders are:

C:\Program Files\Intercede\MyIDMobileAuthenticator\InternalWS\

and:

C:\Program Files\Intercede\MyIDMobileAuthenticator\ExternalWS\

A section at the bottom of the configuration file contains connection details; for example, for a database using Windows authentication:

"ConnectionStrings": {
  "MyIDDatabase": "Database=MyID; Server=localhost; Trusted_Connection = true;",
  "MobileAuthenticatorDatabase": "Database=MobileAuthenticator; Server=localhost; Trusted_Connection = true;"
},

By default, the connection strings are configured for a database that runs locally and uses a trusted connection. These entries must be configured to reference the server where each database is running, and the correct authentication parameters.

{
  "MyID":  {
    "EnableClientCertAuthentication":  "false",
  }
}