Table of Contents
The Curity Identity Server is a Linux based server that can run on most standard Linux distributions, however the following are tested and supported:
All operating systems must run on x86 64-bit platforms.
The only supported browsers for use with the admin Web UI are the latest versions of Chrome and Firefox. No other browser is supported though they may work.
For storing tokens, session information, etc., a database is required. Follow the hardware recommendations of your database vendor. The hard drive size that should be used depends on if you are using the Curity Security Token Server or if you are only using the Curity Authentication Server. In the former case, 100-150 GB is recommended. If only the Curity Authentication Server is used, then 50 GB is suggested.
The following databases are supported:
The Curity Identity Server can integrate with numerous kinds of repositories for authenticating users and clients. It does _not_ store any accounts itself. To support authentication, the Curity Identity Server can retrieve user identity data from any of the following:
When the system is deployed in production environments it’s recommended to use a separate Network Interface for configuration and replication of configuration.
Each node is initialized with a startup.properties file. This file contains the information for the server to be able to connect to the admin node. Such as HOST address and PORT. By default the Admin service will listen to 0.0.0.0 on port 6789. This port should only be open on the internal network, and not open to the Internet.
A run-time node can be configured to listen on any port. Access to this port from the user’s browser is typically required. By default, this is port 8443.
For administration, the following ports may also need to be open:
The only supported encryption algorithm for signing keys, signature verification keys, SSL, etc. is RSA. Elliptic curve and DSA are currently unsupported.
The only Hardware Security Modules (HSMs) that are supported are those that provide a PKCS#11 interface and are compatible with the Java Cryptography Extension (JCE). Only one HSM can be configured and that HSM must be configurable using just one PKCS#11 slot. Public key operations (e.g., encryption and signature verification) are not supported; instead, public keys should be uploaded into the configuration database.
Only HTTP 1.1 is supported. HTTP 1.0 and 2.0 are not supported.