The Curity Identity Server is a Linux based server that can run on most standard Linux distributions, however the following are tested and supported:
All production operating systems must run on x86 64-bit platforms and, on Linux, GNU C Library version 2.25 or newer is required.
ARM based macOS requires Rosetta II to be installed.
All mobile devices that consume the hypermedia authentication API must be running the following operating systems (or newer):
Only the latest versions of Chrome, Firefox, Safari, Samsung and Edge are supported on the latest versions of macOS, Windows, iOS, and Android. Older versions of those or other platforms (e.g., Linux) are supported on a best-effort basis. No other browsers (e.g., Brave, Opera, IE, etc.) are supported on any platform. The only supported browsers for use with the admin Web UI are the latest versions of Chrome, Firefox, and Edge on the latest version of Windows and macOS. No other browser on any platform is supported (though they may work).
For storing tokens, session information, etc., a database is required. Follow the hardware recommendations of your database vendor. The hard drive size that should be used depends on if you are using the Curity Security Token Server or if you are only using the Curity Authentication Server. In the former case, 100-150 GB is recommended. If only the Curity Authentication Server is used, then 50 GB is suggested.
The following databases are supported:
The Curity Identity Server can integrate with numerous kinds of repositories for authenticating users and clients. It does not store any accounts itself. To support authentication, the Curity Identity Server can retrieve user identity data from any of the following:
When the system is deployed in production environments it’s recommended to use a separate Network Interface for configuration and replication of configuration.
Each node is initialized with a startup.properties file. This file contains the information for the server to be able to connect to the admin node. Such as HOST address and PORT. By default the Admin service will listen to 0.0.0.0 on port 6789. This port should only be open on the internal network, and not open to the Internet.
A run-time node can be configured to listen on any port. Access to this port from the user’s browser is typically required. By default, this is port 8443.
For administration, the following ports may also need to be open:
The only supported encryption algorithm for signing keys, signature verification keys, SSL, etc. is RSA. Elliptic curve and DSA are currently unsupported.
The only Hardware Security Modules (HSMs) that are supported are those that provide a PKCS#11 interface and are compatible with the Java Cryptography Extension (JCE). This means that every private key must be coupled with an X.509 certificate; keys without certificates are inaccessible and unusable. Only one HSM can be configured and that HSM must be configurable using just one PKCS#11 slot. Public key operations (e.g., encryption and signature verification) are not supported; instead, public keys should be uploaded into the configuration database.
Only HTTP 1.1 and 2.0 are supported. HTTP 1.0 is not supported.
Only TLS 1.2 and 1.3 are supported. Even if older versions can be enabled, they are not supported and may not work as intended.