Versions Compared

Version Old Version 29 New Version 30
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Below is an example of the XML configuration. On Docker deployments it is located in docker/compose/identitymanager/config/signencrypt.xml, on WAR deployments it is located in WEB-INF/classes/engineSignEncryptConfig.xml of IDM Admin and IDM Operator.
There are also several tools including a similar configuration file.

...

The configuration is divided into entries for descriptors and keys, with each descriptor referencing one of the key-entries.

...

Bootstrapping Dev/Test Systems

For development- and test-environments, the IDM bootstrap.zip package and bootstrap Docker container include a feature to generate test keys and certificates for all default descriptors.

...

Attribute of the type element inside key

Description

name

Type of storage: pkcs12or HSM.

locationValue

  • For docker:

    • For a software keystore: place the keystore under docker/compose/certs before creating the container with docker compose. Then set its location as absolute path, prefixed with file: pointing to the mounted file in/certs,
      for example: locationValue="file:/certs/keystore.p12".
      Note: Default attestation keys referenced from the classpath, e.g. locationValue="classpath:attKeyMobileDef.p12" . Only if you need your own keys does this need to be changed.

    • For an HSM: ensure the PKCS11 library is mounted into the container, then use the container’s path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11hsm"

  • For WAR file deployment: 

    • For a software keystore: place the keystore under WEB-INF/classes and set its location, prefixed with classpath:,
      for example: locationValue="classpath:keystore.p12"

    • For an HSM: use the path of the PKCS11 library, without filename extension,
      for example: locationValue="/usr/local/lib/libpkcs11hsm"

pin

PIN for the keystore or HSM.

To avoid having clear text PINs in this file, the pin should be scrambled.
That can be achieved by setting it with pin.encrypted="1234" instead of pin="1234".

In case of docker For WAR deployments the pin will then be scrambled on the next (re-)start of Tomcat.

For Docker deployments you need to pre-scramble the pins before the first startup of any IDM webapp containers.
From the docker/compose/identitymanager/bootstrap folder run this command:
container.
This is done by executing docker compose run --rm scramble_sign_encrypt_config
from the docker/compose/identitymanager/bootstrap folder.

See also Scramble sensitive data in Identity Manager files for details.

...