Versions Compared

Version Old Version 8 New Version 9
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID Identity Manager 24.R1 or later.

Here you can find information on common error scenarios related to the sign and encrypt engine and now to solve them.

!!!!!THIS NEEDS A THOROUGH REWRITE !!!!!

Note

Before doing any repair procedures, a backup of the IDM applications, config files and database is recommended.

Table of Contents

!!!!! old contents below !!!!!

...

Error Message(s) Logged On Startup: Compromised key detected ...

Upon startup of IDM you might see one or more error messages like the one below:

...

Warning

Replacing the EncryptedFields descriptor's key requires re-encryption of existing secrets via the batch_secretfieldstore_change_encryption_key tool. See Change Encryption key of secret field store .

Replacing the ObjectHistorySigner descriptor's key requires re-signing existing history entries via the batch_re-sign_history tool.

Replacing the ConfigZipSigner descriptor's key means any previously exported encrypted config ZIP files cannot be decrypted anymore (versioning to enable decryption with historical keys is not yet supported here).

Startup Fails With Exception Message: Aborting deployment! Unable to verify the last Object History entry ...

Startup of IDM might fail with an exception message like this in the log:

...

  1. The key configured for the ObjectHistorySigner descriptor in the current version (2 in the example above) is wrong, maybe you configured the wrong P12 file.

  2. The object history got corrupted (by accident or deliberate manipulation - forensic analysis may be advisable).
    A quick workaround to get the application to start again would be switching to a new chain name for idm-operator (history verification will still fail, though):

    Tomcat deployment: set chain name in system.properties

    Code Block
    ... etc. ...
commonHistoryService.chainName=NEW_CHAIN_NAME_GOES_HERE
... etc. ...


    Docker-deployment: set chain name in docker-compose.yml

    Code Block
    ... etc. ...
    environment:
... etc. ...
      - 'SYSTEM_PROPERTIES={
          "commonHistoryService.chainName": "NEW_CHAIN_NAME_GOES_HERE",
... etc. ...


    You can solve this properly by re-signing the history entries via the batch_re-sign_history tool.

Startup Fails With Exception Message: Error accessing the sign and encrypt engine ( There's no keystore ...

Startup of IDM might fail with an exception message like this in the log:

...

So the above error can happen for example in these scenarios:

Scenario A: Tomcat WAR deployment created without bootstrapping

See Create custom certificates for Tomcat installations (non-Docker) Bootstrapping Development And Test Systems for instructions on how to create and configure the bootstrap CA and P12 files.

Scenario B: Tomcat WAR deployment upgraded from a bootstrapped 23.10.x or lower version

In this case most likely only sign.p12 and hybridEncKeypair.p12 were bootstrapped and you need to create the remaining files.

There are multiple options:

Option 1: Re-Bootstrap to add missing files

Note

This assumes you use the cacerts.zip bootstrap script, getting the respective certs and keys from a different CA is out of scope of this document.

You mostly follow the steps from Create custom certificates for Tomcat installations (non-Docker) Bootstrapping Development And Test Systems , but with some changes, as we want to retain the previously bootstrapped P12 files.

...

Warning

After running createP12.sh / createP12s.bat, remove the freshly generated hybridEncKeypair.p12 and sign.p12 (we will not replace those, as they were bootstrapped already and we would break history signature and secret fields otherwise).

Option 2: Create copies of previously shared P12 files

Follow these steps:

  • copy sign.p12 three times, to signJWT.p12, signJWS.p12 and signConfig.p12

  • copy hybridEncKeypair.p12 to encryptConfig.p12

  • if emailSigning.p12 is also missing, copy sign.p12 to emailSigning.p12

  • if deviceEncCA.p12 is also missing, copy sign.p12 to deviceEncCA.p12

  • set the pins for the newly created files in WEB-INF\classes\engineSignEncrypt.xml, based on the pin of the respective source file

Scenario C: Docker deployment with an outdated signencrypt.xml

An outdated docker/compose/identitymanager/config/signencrypt.xml is being used, which does not reference the bootstrapped files from the docker/compose/certs folder mounted into the container as /certs/
Make sure you use the correct Smart ID docker config release for your IDM version, so you have a suitable signencrypt.xml file, similar to this:


example Docker signencrypt.xml referencing mounted P12 files
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
    <descriptors>
        <descriptor name="EncryptedFields" version="1">
            <type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="encCert" asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>
        <descriptor name="ConfigZipEncrypter" version="1">
            <type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="configZipEncrypterCert" asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>        
        <descriptor name="ConfigZipSigner" version="1">
            <type algorithm="SHA-256" size="" result="" key="configZipSignerCert" />
        </descriptor>
        <descriptor name="ObjectHistorySigner" version="1">
            <type algorithm="SHA-256" size="" result="" key="objectHistorySignerCert" />
        </descriptor>
        <descriptor name="SignEmailDescriptor" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="emailSigningCert" />
        </descriptor>
        <descriptor name="hermodDeviceEnc" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="serverCert" />
        </descriptor>
        <descriptor name="SelfServiceJWTSigner" version="1">
            <type algorithm="RSA" size="2048" result="" key="selfServiceJWTSignerCert" />
        </descriptor>
        <descriptor name="ContentProviderJWSSigner" version="1">
            <type algorithm="RSA" size="2048" result="" key="contentProviderJWSSignerCert" />
        </descriptor>
        <descriptor name="att_external-attestation-1" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="attestationKey_mobile_1" />
        </descriptor>
        <descriptor name="att_external-attestation-2" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="attestationKey_mobile_2" />
        </descriptor>
        <descriptor name="att_external-attestation-3" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="attestationKey_mobile_3" />
        </descriptor>
        <descriptor name="att_external-attestation-4" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="attestationKey_mobile_4" />
        </descriptor>
        <descriptor name="att_ATTESTATION" version="1">
            <type algorithm="SHA256withRSA" size="" result="" key="attestationKey_mobile_pda_def" />
        </descriptor>

    </descriptors>
    <keys>
        <key name="encCert">
            <type name="pkcs12" locationValue="file:/certs/idm-encryption-bootstrap.p12" pin="1234"/>
        </key>
        <key name="configZipEncrypterCert">
            <type name="pkcs12" locationValue="file:/certs/idm-encryptconfig-bootstrap.p12" pin="1234"/>
        </key>
        <key name="configZipSignerCert">
            <type name="pkcs12" locationValue="file:/certs/idm-signconfig-bootstrap.p12" pin="1234"/>
        </key>
        <key name="objectHistorySignerCert">
            <type name="pkcs12" locationValue="file:/certs/idm-signhistory-bootstrap.p12" pin="1234"/>
        </key>
        <key name="selfServiceJWTSignerCert">
            <type name="pkcs12" locationValue="file:/certs/idm-signjwt-bootstrap.p12" pin="1234"/>
        </key>
        <key name="contentProviderJWSSignerCert">
            <type name="pkcs12" locationValue="file:/certs/idm-signjws-bootstrap.p12" pin="1234"/>
        </key>
        <key name="emailSigningCert">
            <type name="pkcs12" locationValue="file:/certs/idm-signemail-bootstrap.p12" pin="1234"/>
        </key>
        <key name="serverCert">
            <type name="pkcs12" locationValue="file:/certs/idm-deviceenc-bootstrap.p12" pin="1234"/>
        </key>
        <key name="attestationKey_mobile_1">
            <type name="pkcs12" locationValue="classpath:attKeyMobile1.p12" pin="936584967"/>
        </key>
        <key name="attestationKey_mobile_2">
            <type name="pkcs12" locationValue="classpath:attKeyMobile2.p12" pin="873145568"/>
        </key>
        <key name="attestationKey_mobile_3">
            <type name="pkcs12" locationValue="classpath:attKeyMobile3.p12" pin="8564789632"/>
        </key>
        <key name="attestationKey_mobile_4">
            <type name="pkcs12" locationValue="classpath:attKeyMobile4.p12" pin="9263564893"/>
        </key>
        <key name="attestationKey_mobile_pda_def">
            <type name="pkcs12" locationValue="classpath:attKeyMobileDef.p12" pin="2586453793"/>
        </key>
    </keys>
</engineSignEncrypt>

...