Setting up SSL/TLS on the SSRP

2.3 Setting up SSL/TLS on the SSRP

2.3.1 Web applications

The SSRP system comprises the following web applications:

Start – the launch page that allows you to select from multiple identity providers.
StartPage – the launch page that allows you to use only a client certificate on a PIV card as the source for the derived credential.
SSRP – the web application that carries out secure requests for client certificate-based derived credentials.
SSRPOID – a web application you can configure for OpenID authentication for derived credentials based on information from an external system.

You must set up the Start, StartPage, SSRP, and SSRPOID web applications to require 1-way SSL/TLS.

If you are using PIV card-based derived credentials, you must also set up the SSRP web application to require 2-way SSL/TLS. This web application verifies the cardholder's request and initiates the issuance of the client certificate-based derived credential. Make sure the Client certificates option in IIS is set to Accept; this is required if you are using the Start launch page.

If you are using only the StartPage launch page, and do not require OpenID as an authentication option, you can set the Client certificates option in IIS to Require; if you do this, you must also set the StartUrl to /StartPage in the dictionary for the SSRP web application.

By default, the SSRP dictionary.resx file is in the following location:

C:\Program Files\Intercede\MyID\SSRP\SSRP\App_GlobalResources\

Edit the StartUrl option to include the following:

Copy

<data name="StartUrl" xml:space="preserve">
  <value>/StartPage</value>
</data>

2.3.2 SSL certificates

For client certificate-based derived credentials, it is important that the IIS server has a certificate in its trusted root that matches a certificate in the user’s SSL certificate chain.

The user’s computer must also have a certificate in the trusted root CA that matches a certificate in the server's SSL certificate chain.

Certificates that have expired will not be eligible for use and may well be hidden by the browser.

2.3.3 Disabling TLS 1.3

By default, TLS 1.3 is enabled on Windows Server 2022. The Self-Service Request Portal does not support TLS 1.3.

To disable TLS 1.3:

In Internet Information Services (IIS) Manager, in the Connections pane, expand the server name, then Sites, then select the website used for SSRP; by default, this is Default Web Site.
Right-click the website, then from the pop-up menu select Edit Bindings.
In the Site Bindings dialog, select https.
Click Edit.
Select the Disable TLS 1.3 over TCP option.
Click OK, then click Close.