Versions Compared

Version Old Version 22 New Version 23
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

descriptor element attribute

Description

name

Used by Identity Manager to refer to this descriptor. There might be different descriptors with the same name but with different versions.

version

A numeric value that denotes the descriptor's version. This is only needed for the ObjectHistorySigner. A new version of a descriptor is needed, for example, when an old certificate needs to be replaced. The descriptor with the highest version number is used. Verification of Object History entries will automatically select the right descriptor version.

Attribute of the type element inside descriptor

Description

algorithm

For field encryption: a symmetric algorithm to be used, for example, AES/CBC/PKCS7Padding.

For JWT/JWS: only RSA.

For zip/history signing: hashing algorithm to be used (for example, SHA-256).

For mail signing/hermod: a signature or hashing algorithm to be used (for example, SHA256withRSA).

size

For field encryption: size of the symmetric key, for example, 256.

result

For field encryption: Output format. Currently, the only possible value is

  • NX02: Output the raw bytes and some metadata.

key

Refers to a key defined in the same document

asymCipher

For field encryption: specific cipher description, for example, RSA/None/OAEPWithSHA384AndMGF1Padding.

When used with an HSM, you need to adjust the cipher format to be compatible with the JCE provider used for HSM access. 
For example, instead of the above cipher description, specify RSA/ECB/OAEPWithSHA-384AndMGF1Padding (ECB instead of None and SHA-384 instead of SHA384).

initVector

If this is missing, a randomly generated IV will be used. This is the recommended behaviour.

For migrating from SmartAct or ProAct it is necessary to set a fixed IV here.

Key

This is an example of a key (taken from the file shown above in the example file engineSignEncryptConfig.xml or signencrypt.xml for docker deployment), see the tables below the example for more information.

...

key element attribute

Description

name

Used by descriptors' key attribute to reference this key.

Attribute of the type element inside key

Description

name

Type of storage. For example, pkcs12 and HSM are supported.

locationValue

  • For docker:

    • For a software keystore: place the keystore under docker/compose/certsbefore creating the container with docker compose. Then set its location, prefixed with "classpath:",
      for example: locationValue="classpath:keystore.p12"

    • For an HSM: ensure the PKCS11 library is mounted into the container, then use the container’s path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11”

  • For WAR file deployment: 

    • For a software keystore: place the keystore under WEB-INF/classes and set its location, prefixed with "classpath:",
      for example: locationValue="classpath:keystore.p12"

    • For an HSM: use the path of the PKCS11 library, without filename extension,
      for example: locationValue="C:\Path\To\pkcs11_lib"

pin

PIN for the keystore or HSM.

To avoid having clear text PINs in this file, the pin should be scrambled. That can be achieved by setting it with

pin.encrypted="1234"

instead of

pin="1234"

See Scramble sensitive data in Identity Manager files for details.

Detailed Overview Of Descriptors

...