Versions Compared

Version Old Version 5 New Version 6
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID 24.R1 and later.

THIS IS A WORK IN PROGRESS!

Smart ID Identity Manager offers support for HSM (Hardware Security Model) for several use cases:

  • Encrypt and decrypt fields in the Identity Manager database

  • Sign and verify object history

  • Sign and validate config zip files

  • Encrypt config zip files

  • Sign and encrypt emails

  • Authenticate Smart ID Self-Service users to the Identity Manager backend

  • Creating JWS signatures used for Hermod's content provider API

  • Decrypting PIN blobs from pre-personalized smart-cards created with Personal Desktop Client

  • Attestation for Smart ID Mobile / Desktop Apps

This is a more secure solution for signing and encryption than PKCS#12 files, which are files in the file system, only protected by a PIN code.

...

All four use different HSM certificates, see below in the keys section. The example uses the Utimaco CryptoServer with IDM running on Windows.

Example extract of engineSignEncrypt.xml

...

Configuration attribute

Value

Comments

asymCipher

RSA/ECB/OAEPWithSHA-384AndMGF1Padding

Must be declared so the iD2 provider accepts it:

  • "None" is not supported as cipher mode but "ECB" is

  • In OAEP padding, all SHA-x hashes must be given with a dash in the name

<keys> section:

type name

HSM

Must be "HSM" for keys stored in the HSM.

locationValue

  • Either the absolute path of the HSM's P11 DLL/.so (without extension)
    OR

  • the DLL/.so's filename without extension

pin

The user PIN of the HSM.

The pin.encrypted attribute is also supported to scramble the PIN.

Note that for Docker deployments it is required to scramble the PINs before starting the IDM Admin and IDM Operator containers (stop them by invoking docker compose down from within docker/compose/identitymanager/admin and docker/compose/identitymanager/operator, if already running).
This is done by first replacing each pin="thePlainTextPin" with pin.encrypted="thePlainTextPin" and then invoking the following command from within the docker/compose/identitymanager/bootstrap folder: docker compose run --rm scramble_sign_encrypt_config

alias

The alias of the respective key.

In the HSM, the keypair and the certificate must be stored within the same label/alias.

slot

Optional if your keys are stored in HSM slot 0.

Note that the first slot is not always 0.

...

  1. To avoid this, you have these options:

    1. Deploy each Identity Manager webapp on its own dedicated Tomcat instance (Docker deployments always work like this).

      OR

    2. Remove all CMSDK JARs and all BouncyCastle JARs from all webapps' tomcat\<webapp>\WEB-INF\lib folders and place them in tomcat\libs instead (this ensures those JARs are served from the Tomcat common classloader for all webapps).

      1. CMSDK JARs:

        • cmcommon*.jar

        • cmsdk-*.jar

        • common-*.jar

      2. BouncyCastle JARs:

        • bcmail-*.jar

        • bcpgp-*.jar

        • bcpkix-*.jar

        • bcprov-*.jar (including bcprov-ext-*.jar)

Additional information

Expand
titleUseful links