Versions Compared

Version Old Version 26 New Version 27
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Attribute of the type element inside descriptor

Description

algorithm

For EncryptedFields/ConfigZipEncrypter: symmetric algorithm to be used, usually AES/CBC/PKCS7Padding.

For SelfServiceJWTSigner/ContentProviderJWSSigner: always RSA.

For ConfigZipSigner/ObjectHistorySigner: hashing algorithm to be used (for example, SHA-256).

For SignEmailDescriptor/hermodDeviceEnc/att_* and pinBlob decryption: signature algorithm to be used (for example, SHA256withRSA).

For idopteAuthentication: always NoneWithRSA.

size

For EncryptedFields/ConfigZipEncrypter only.
Size of the symmetric key, either 128or 256(recommended).

result

For EncryptedFields/ConfigZipEncrypter only.
Output format, always NX02.

key

Refers to a key defined in the same document.

asymCipher

For EncryptedFields/ConfigZipEncrypter only.
Cipher definition, e.g. RSA/None/OAEPWithSHA384AndMGF1Padding.

When used with an HSM, you need to adjust the cipher format to be compatible with the JCE provider used for HSM access. 
For example, instead of the above cipher definition, specify RSA/ECB/OAEPWithSHA-384AndMGF1Padding (ECB instead of None and SHA-384 instead of SHA384).

initVector

If this is missing, a randomly generated IV will be used, which is the recommended behaviour.
Only for migrating from SmartAct or ProAct it is necessary to set a fixed IV here.

...

  • use-case: Encrypt and decrypt fields in the Identity Manager database

  • included by default in XML config

  • placeholder keys forbidden for productive use due to loss of confidentiality

  • HSM supported for increased security

  • no versioning, always uses version 1

  • supported algorithm value: AES/CBC/PKCS7Padding

  • supported result value: NX02

  • supported size value: 256

  • supported asymClipher values:

    • for HSM

      • RSA/ECB/OAEPWithSHA-384AndMGF1Padding

      • RSA/ECB/OAEPWithSHA-512AndMGF1Padding

    • for PKCS#12

      • RSA/None/OAEPWithSHA384AndMGF1Padding

      • RSA/None/OAEPWithSHA512AndMGF1Padding

    • NOTE: you cannot reconfigure the asymCipher value after creation of encrypted fields, as decryption will then fail

  • supported key -pair typesrequirements:

    • RSA 2048

    • RSA 3072

    • RSA 4096 (recommended)

  • certificate requirements:

    • general note: no special requirements, as only the key-pair matters here, the certificate is not used (except for the enclosed public key)

      • may be self-signed

      • key usage is not checked (recommended for informational purposes: set dataEncipherment)

      • validity is ignored

      • certificate does not need to be trusted

ConfigZipEncrypter

  • included by default in XML config

  • HSM supported for increased security

  • no versioning, always uses version 1

  • key type: RSA-2048 and up (4096 recommended), no ECC support!

  • asymClipher: RSA/None/OAEPWithSHA384AndMGF1Padding (

  • placeholder P12 is allowed only if zip encryption is disabled

  • supported asymClipher values:

    • for HSM

      • RSA/ECB/OAEPWithSHA-384AndMGF1Padding

      • RSA/ECB/OAEPWithSHA-

    384AndMGF1Padding

      • 512AndMGF1Padding

    • for

    HSM)
          or

    • PKCS#12

      • RSA/None/

    OAEPWithSHA512AndMGF1Padding (

      • OAEPWithSHA384AndMGF1Padding

      • RSA/

    ECB/OAEPWithSHA-512AndMGF1Padding for HSM),
         

      • None/OAEPWithSHA512AndMGF1Padding

    • NOTE: but you cannot reconfigure the asymCipher after exporting an encrypted ZIP,


         

    • as config import of such a ZIP will fail!

    placeholder P12 is allowed if zip encryption is disabled

  • key usage: does not matter (but dataEncipherment + keyEncipherment recommended)

  • trust does not matter

  • MAY be self-signed

  • validity: ignored, works if expired (only the keypair matters)   requirements:

    • RSA 2048

    • RSA 3072

    • RSA 4096 (recommended)

  • certificate requirements:

    • no special requirements, as only the key-pair is used

      • may be self-signed

      • key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment )

      • validity is ignored

      • certificate does not need to be trusted

ConfigZipSigner

  • included by default in XML config

  • HSM supported for increased security

  • placeholder P12 is allowed if zip signing+verification is disabled

  • Versioning is possible, but unnecessary. It is sufficient that the certificate that signed the old configs is trusted via the IDM truststore.    

  • must NOT be self-signed!

  • key usage: digitalSignature MUST be present if KeyUsage is critical (explicit check in our code!, Signer.java)

  • issuing CA cert MUST be in IDM truststore

  • issues if not configured as above:
    export is blocked unless "zipPacker.signZip=false"
    verification does not work, ZIP appears unsignedVersioning is possible, but unnecessary. It is sufficient that the certificate that signed the old configs is trusted via the IDM truststore.    

  • key type: RSA-2048 and up (4096 recommended), no ECC support!

  • digest: SHA-256
          (selecting SHA-38 or SHA-512 only affects MANIFEST.MF, other parts use SHA-256 always)

  • validity: at your discretion, but bear in mind... 

    • if expired, export is blocked unless "zipPacker.signZip=false"

    • if expired on upload: "Verification failed. The certificate has expired."

...