asymCipher

RSA/ECB/OAEPWithSHA-384AndMGF1Padding

Must be declared so the iD2 provider accepts it:

• "None" is not supported as cipher mode but "ECB" is

• In OAEP padding, all SHA-x hashes must be given with a dash in the name

<keys> section:

type name

HSM

Must be "HSM" for keys stored in the HSM.

locationValue

• Either the absolute path of the HSM's P11 DLL/.so (without extension) OR

• the DLL/.so's filename without extension

pin

The user PIN of the HSM.

The pin.encrypted attribute is also supported to scramble the PIN.

Note that for Docker deployments it is required to pre- scramble the PINs before starting the IDM Admin and IDM Operator containers for the first time(stop them by invoking docker compose down from within docker/compose/identitymanager/admin and docker/compose/identitymanager/operator, if already running).
This is done by first replacing each pin="thePlainTextPin" with pin.encrypted="thePlainTextPin" and then invoking the following command from within the docker/compose/identitymanager/bootstrap folder: docker compose run --rm scramble_sign_encrypt_config

alias

The alias of the respective key.

In the HSM, the keypair and the certificate must be stored within the same label/alias.

slot

Optional if your keys are in HSM slot 0.

Note that the first slot is not always 0.