Important: Most descriptors need to have their certificates and keys bootstrapped before starting the application(s) the first time. IDM 24.R1 makes a number of significant changes: PKCS#12 files containing demo keys are no longer included to avoid them ending up in productive environments. Various checks are introduced - see Sign and Encrypt engine bootstrap verification: The old demo keys are explicitly blacklisted and IDM will print an error log message, if any of those is encountered on startup of IDM Operator and IDM Admin. IDM Admin and IDM Operator will no longer start without bootstrapping, as most descriptors have missing keys/certs by default. IDM Admin and IDM Operator checks on startup if the currently configured key for encrypted fields matches the database and will abort if that is not the case. IDM Operator checks on startup if the currently configured key for history signing matches the database and will abort if that is not the case.
Bootstrap CA/certificate/key generation tooling has been refined, now works properly on Docker and is limited to dev-/test-use.
For productive environments manual bootstrapping via certificate authorities is required - see Bootstrap the sign and encrypt engine in Identity Manager for details. Pin scrambling of signencrypt.xml now works in Docker deployments via dedicated tooling. Each descriptor now references its own key by default, instead of e.g. ZIP signing and history signing sharing the same key.
Whenever secrets or history entries were created with the demo keys, a simple bootstrapping is no longer possible without using additional tooling in order to re-sign history entries (TODO: no docs for this yet!) and re-encrypt secrets (Change Encryption key of secret field store).
TODO: | 