Versions Compared

Version Old Version 1 New Version 2
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID 2124.10 R1 and later.

THIS IS A WORK IN PROGRESS!

Smart ID Identity Manager offers support for HSM (Hardware Security Model) for several use cases:

  • encrypting and decrypting of secrets in BPMN processes using the Identity Manager SecretFieldStore

  • signing of Identity Manager configuration zip files

  • signing of S/MIME emails with the Identity Manager MailTaskEncrypt and decrypt fields in the Identity Manager database

  • Sign and verify object history

  • Sign and validate config zip files

  • Encrypt config zip files

  • Sign and encrypt emails

  • Authenticate Smart ID Self-Service users to the Identity Manager backend

  • Creating JWS signatures used for Hermod's content provider API

  • Decrypting PIN blobs from pre-personalized smart-cards created with Personal Desktop Client

This is a more secure solution for signing and encryption than PKCS#12 files, which are files in the file system, only protected by a PIN code.

The set of JAR files in Certificate Manager (CM) 8.4 and later has changed. This version of CM is used with applies to Identity Manager in Smart ID 21.10 , and later - see this note for the updates, see also section "Configure Tomcat" below.

Note

Different set of JAR files for Identity Manager in Smart ID 21.10 and later

Identity Manager in Smart ID 20.10 is based on Certificate Manager SDK 8.4 , which and later (as used in IDM 21.10 and later) has a different set of JAR files compared to previous versions:

cmcommon-x.y.z.jar => renamed to cm-common-x.y.z.jar
cmsdk-x.y.z.jar => renamed to cm-sdk-x.y.z.jar
csp-x.y.z.jar => removed, all code moved to common-x.y.z.jar
common-x.y.z.jar => now includes csp code as well and carries JCE provider signature

Prerequisites

  • Installed Smart ID 2124.10 R1 or later

  • Installed and running HSM with PKCS#11 library available on the Identity Manager server

...

This section describes the engineSignEncrypt.xml valid from Identity Manager 324.12R1. For older versions, see PRIME archive.

...

  1. To avoid this, you have these options:

    1. Deploy each Identity Manager webapp on its own dedicated Tomcat instance.

      OR

    2. Remove all CMSDK JARs and all BouncyCastle JARs from all webapps' tomcat\<webapp>\WEB-INF\lib folders and place them in tomcat\libs instead (this ensures those JARs are served from the Tomcat common classloader for all webapps).

      1. CMSDK JARs:

        • cmcommon*.jar

        • cmsdk-*.jar

        • common-*.jar

      2. BouncyCastle JARs:

        • bcmail-*.jar

        • bcpgp-*.jar

        • bcpkix-*.jar

        • bcprov-*.jar (including bcprov-ext-*.jar)

Additional information

Expand
titleUseful links